SSHD comes with RACF commands for the SAF requirements. What are the ACF2 and Top Secret equivalents of these commands?

Release : 16.0

SSHD(Port 922) for Ansible – Implementation Procedures

Step 1 - Create group and unprivileged USER account (SSHD).

RACF
ADDGROUP SSHDG OMVS(GID(999))
ADDUSER SSHD DFLTGRP(SSHDG) OMVS(UID(999) HOME(’/var/empty’) PROGRAM(’/bin/false’)) NOPASSWORD

ACF2
ACF
SET PROFILE(GROUP) DIV(OMVS)
INSERT SSHDG GID(999)
SET LID
INSERT SSHD NAME(SSH User) GROUP(SSHDG) UID(999)-
HOME(/var/empty) PROGRAM(/bin/false) RESTRICT

TSS
TSS CREATE(SSHDG) TYPE(GROUP) DEPT(dept) NAME(‘SSHD Group’)
TSS ADD(SSHDG) GID(999)
TSS CREATE(SSHD)TYPE(USER) DEPT(dept) –
 NAME(‘SSHD Unprivileged USER Account’) PROTECTED
TSS ADD(SSHD) UID(999) GROUP(SSHDG) DFLTGRP(SSHDG)
TSS ADD(SSHD) HOME(/var/empty) OMVSPGM(/bin/false)
TSS ADD(SSHD) FAC(BATCH)

Step 2 - Create privileged USER account (SSHDAEM)

RACF
ADDUSER SSHDAEM DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD

ACF2
ACF
INSERT SSHDAEM NAME(SSHDAEM User) GROUP(OMVSGRP) UID(0) -
HOME(/) PROGRAM(/bin/sh)

* Note: If OMVSGRP does not exist it would need to be created and assigned a GID

TSS
TSS CREATE(SSHDAEM) TYPE(USER) DEPT(dept)-
 NAME(‘SSHD Privileged USER Account’) PROTECTED
TSS ADD(SSHDAEM) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADD(SSHDAEM) HOME(/) OMVSPGM(/bin/sh)
TSS ADD(SSHDAEM) FAC(STC)

Step 3 - Started class entry for the started task.

RACF
RDEFINE STARTED SSHD.* STDATA(USER(SSHDAEM)
GROUP(OMVSGRP) TRUSTED(NO))
SETROPTS RACLIST(STARTED) REFRESH

ACF2
ACF
SET CONTROL(GSO)
INSERT STC.SSH GROUP(OMVSGRP) LOGONID(SSHDAEM) STC(SSHD-)
F ACF2,REFRESH(STC)

* Note: If OMVSGRP does not exist it would need to be created and assigned a GID.

TSS
TSS ADD(STC) PROCNAME(SSHD*) ACID(SSHDAEM)

* Note: If OMVSGRP does not exist it would need to be created and assigned a GID.

Step 4 - Permit privileged USER account to BPX.DAEMON profile.

RACF
PERMIT BPX.DAEMON CLASS(FACILITY) ID(SSHDAEM) ACCESS(READ)

ACF2
ACF
SET RESOURCE(FAC)
RECKEY BPX ADD(DAEMON UID(<uid for SSHDAEM >) SERVICE(READ) - ALLOW)
F ACF2,REBUILD(FAC

TSS
TSS PERMIT(SSHDAEM) IBMFAC(BPX.DAEMON) ACCESS(READ)

Step 5 - Grant access to the IRR.DIGTCERT.** profiles to the privileged USER account SSHDAEM

RACF
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ)ID(SSHDAEM)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(UPDATE) ID(SSHDAEM) 
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ACCESS(CONTROL) ID(SSHDAEM)

ACF2
ACF
SET RESOURCE(FAC)
RECKEY IRR ADD(DIGTCERT.LIST UID(<uid for SSHDAEM>) - SERVICE(READ) ALLOW)
RECKEY IRR ADD(DIGTCERT. LISTRING UID(<uid for SSHDAEM>) - SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD(DIGTCERT. GENCERT UID(<uid for SSHDAEM>) - SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(FAC)

TSS
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL)

Step 6 - Grant read access to the privileged USER account (SSHDAEM) for the following ICSF digital signature algorithms in the CSFSERV class.

CSFIQA, CSF1TRC, CSF1TRD, CSF1PKS, CSF1PKV, CSF1DVK, CSF1GAV
If a cryptographic coprocessor card is installed add these profiles.
CSFDSG, CLSFDSV, CSFPKI

ACF2
* By default, ACF2 assigns the 3-character type code "SAF"
* to the CSFSERV resource class. Sitres might prefer to
* modify the default type code to "CSF" or another value.
* To change the CSFSERV class type code to "CSF" a GSO CLASMAP
* can be INSERTed from TSO, ACF as follows:
SET CONTROL(GSO)
INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF)   
F ACF2,REFRESH(CLASMAP)
* The CSFSERVE resource class type code must be made resident
* by adding the type code to the GSO INFODIR record. Make
* resource rules with type code CSF resident:
SET CONTROL(GSO)
CONTROL
CHANGE INFODIR TYPES(R-RCSF) ADD
F ACF2,REFRESH(INFODIR)
*
* ICSF digital signature algorithms in the  CSFSERV class.
SET RESOURCE(CSF)
RECKEY CSFIQA add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1TRC add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1TRD add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1PKS add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1PKV add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1DVK add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1GAV add( UID(<uid for SSHDAEM>) ALLOW)
F ACF2,REBUILD(CSF)
* If a cryptographic coprocessor card is installed add these profiles.
SET RESOURCE(CSF)
RECKEY CSFDSG add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CLSFDSV add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSFPKI add( UID(<uid for SSHDAEM>) ALLOW)
F ACF2,REBUILD(CSF)

TSS
TSS ADD(dept) CSFSERV(CSFIQA)      - if not already done
TSS ADD(dept) CSFSERV(CSF1TRC)      - if not already done
TSS ADD(dept) CSFSERV(CSF1TRD)      - if not already done
TSS ADD(dept) CSFSERV(CSF1PKS)      - if not already done
TSS ADD(dept) CSFSERV(CSF1PKV)      - if not already done
TSS ADD(dept) CSFSERV(CSF1DVK)      - if not already done
TSS ADD(dept) CSFSERV(CSF1GAV)      - if not already done
/*
TSS PERMIT(SSHDAEM) CSFERV(CSFIQA) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1TRC) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1TRD) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1PKS) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1PKV) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1DVK) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1GAV) ACCESS(READ)
/*
/* If a cryptographic coprocessor card is installed
/*  add these profiles.
TSS ADD(dept) CSFSERV(CSFDSG)      - if not already done
TSS ADD(dept) CSFSERV(CLSFDSV)      - if not already done
TSS ADD(dept) CSFSERV(CSFPKI)      - if not already done
/*
TSS PERMIT(SSHDAEM) CSFERV(CSFDSG) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CLSFDSV) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSFPKI) ACCESS(READ) 

Step 7 - Create the Keyring for your host keys (SSHDring).

RACF
RACDCERT ID(SSHDAEM) ADDRING(SSHDring)

ACF2
ACF
SET P(USER) DIV(KEYRING)
INSERT SSHDAEM.ring RINGNAME(SSHDring)

TSS
TSS ADD(SSHDAEM) KEYRING(SSHDRING) LABLRING(SSHDRING)

Step 8 - Optional protect SSHDring from USER accounts that have access to the IRR.DIGTCERT.** profiles.

RACF
DEFINE RDATALIB SSHDAEM.SSHDring.LST UACC(NONE)
PERMIT SSHDAEM.SSHDring.LST CLASS(RDATALIB) ID(SSHDAEM) ACCESS(READ)

ACF2
ACF
SET RESOURCE(RDA)
RECKEY SSHDAEM ADD(SSHDring.LST UID(<uid for SSHDAEM>) - SERVICE(READ) ALLOW)
F ACF2,REBUILD(RDA)

TSS
TSS ADD(dept) RDATALIB(SSHDAEM.SSHDRING.LST) if not already done
TSS PER(SSHDAEM) RDATALIB(SSHDAEM.SSHDRING.LST) ACCESS(READ)

Step 9 - Generate host keys in SAF.

RACF
RACDCERT GENCERT ID(SSHDAEM) SUBJECTSDN(CN('host-ssh-rsa-cn'))
SIZE(2048) WITHLABEL('host-ssh-rsa')
RACDCERT GENCERT ID(SSHDAEM) SUBJECTSDN(CN('host-ssh-ecdsa-cn'))
SIZE(256) NISTECC WITHLABEL('host-ssh-ecdsa')

ACF2
ACF
SET PROFILE(USER) DIVISION(CERTDATA)
GENCERT SSHDAEM.sshrsa LABEL(host-ssh-rsa) SIZE(2048) -
SUBJSDN(CN='host-ssh-rsa-cn')
GENCERT SSHDAEM.sshecda LABEL(host-ssh-ecdsa) SIZE(2048) -
SUBJSDN(CN='host-ssh-ecdsa-cn') NISTECC

TSS
TSS GENCERT(SSHDAEM) DIGICERT(xxxxxxxx) –
 LABLCERT('host-ssh-rsa') –
 SUBJECTN('CN="host-ssh-rsa-cn"’) KEYSIZE(2048)
TSS GENCERT(SSHDAEM) DIGICERT(yyyyyyyy) –
 LABLCERT('host-ssh-ecdsa') –
 SUBJECTN('CN="host-ssh-ecdsa-cn"’) KEYSIZE(256) NISTECC

Step 10 - Connect Keys to host keyring (SSHDring).

RACF
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-rsa')
RING(SSHDring) USAGE(PERSONAL)) ID(SSHDAEM)
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-ecdsa')
RING(SSHDring) USAGE(PERSONAL)) ID(SSHDAEM)

ACF2
ACF
CONNECT CERTDATA(SSHDAEM.sshrsa) KEYRING(SSHDAEM.ring) - USAGE(PERSONAL)
CONNECT CERTDATA(SSHDAEM.sshecda) KEYRING(SSHDAEM.ring) - USAGE(PERSONAL)

TSS
TSS ADD(SSHDAEM) KEYRING(SSHDRING) DIGICERT(xxxxxxxx) - USAGE(PERSONAL)
TSS ADD(SSHDAEM) KEYRING(SSHDRING) DIGICERT(yyyyyyyy) - USAGE(PERSONAL)

Step 11 - Create the Keyring for your Known host keys (SSHKnownHostsRing).

RACF
RACDCERT ID(SSHDAEM) ADDRING(SSHKnownHostsRing)

ACF2
ACF
SET PROFILE(USER) DIVISION(KEYRING)
INSERT SSHDAEM.keyr01 RINGNAME(SSHKnownHostsRing)

TSS
TSS ADD(SSHDAEM) KEYRING(SSHKHRNG) LABLRING(SSHKnownHostsRing)

Step 12 - Export client keys in DER format without the private key and FTP in binary format to the local host.

From z/OS:

RACF
RACDCERT EXPORT(LABEL('host-ssh-type')) ID(SSHDAEM)
FORMAT(CERTDER) DSN('host.sshcert.type')

ACF2
ACF
EXPORT SSHDAEM.??????? DSN('host.sshcert.type') FORMAT(CERTDER)

** NOTE: The RACDCERT EXPORT command assumes the certificate with label LABEL('host-ssh-type') exists in the security database, so for ACF2 this would be the certificate certdata record name SSHDAEM.??????? of the certificate in the ACF2 INFOSTG database.

TSS
TSS EXPORT(SSHDAEM) DIGICERT(zzzzzzzz) –
  DSN('host.sshcert.type’) FORMAT(CERTDER)

where ‘zzzzzzzz’ is the digital certificate with label LABEL('host-ssh-type'). 

** NOTE: The RACDCERT EXPORT command assumes the certificate with label LABEL('host-ssh-type') exists in the security database, so for Top Secret, this would be the DIGICERT that has the LABLCERT ''host-ssh-type' in the Top Secret database. If this certificate does not exist in the security database, the keys should be copied from Linux/Unix using the openssl command below.

From Linux/Unix:

openssl x509 -pubkey -noout -in certificate.pem > pubcertkey.pub

Step 13 - Import to SAF.

RACF
RACDCERT ADD('host.sshcert.type') ID(SSHDAEM)
WITHLABEL('host-ssh-type') TRUST

ACF2
ACF
SET PROFILE(USER) DIV(CETDATA)
INSERT SSHDAEN.sshhost DSN('host.sshcert.type') -
LABEL(host-ssh-type)TRUST

TSS
TSS ADD(SSHDAEM) DIGICERT(zzzzzzzz) –
 LABLCERT('host-shcert-type’) TRUST

Step 14 - Connect each certificate into the known hosts keyring (SSHKnownHostsRing)

RACF
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-type')
RING(SSHKnownHostsRing)) ID(SSHDAEM)

ACF2
ACF
CONNECT CERTDATA(SSHDAEN.sshhost) KEYRING(SSHDAEM.keyr01)

TSS
TSS ADD(SSHDAEM) KEYRING(SSHKHRNG) DIGICERT(zzzzzzzz)