I have configured a RACF certificate for using the sftp client & it works fine for the ID that I created it for but I need to have multiple users be able to use this certificate for connections to a vendor. What do I need to cnfigure in RACF to allow this? Below is my certificate definition:
RACDCERT ID(A083788) GENCERT +
SUBJECTSDN( +
CN('XXXXXX SFTP' ) +
O('XXXXXX') +
OU('TECH SFTP') +
C('US')) +
NOTAFTER(DATE(2020-01-30)) +
WITHLABEL('XXXX TECH SFTP')
/* Create a KEYRING for the user */
RACDCERT ID(A083788) ADDRING(TECHSFPTRING)
/* Connect the certificate to the ring */
RACDCERT ID(A083788) CONNECT ( +
ID(A083788) +
LABEL('XXXX TECH SFTP') +
RING(TECHSFPTRING) +
DEFAULT +
USAGE(PERSONAL) )
/* Refresh to activate */
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
How do I share a RACF Certificate between multiple ids?
-
DaveMedema
- Posts: 3
- Joined: Thu May 09, 2013 7:20 am
-
DaveMedema
- Posts: 3
- Joined: Thu May 09, 2013 7:20 am
Re: How do I share a RACF Certificate between multiple ids?
If I run my sftp from user id A083788 is works fine:
CoZBatch[N]: Copyright (C) 2005-2009 Dovetailed Technologies LLC. All rights reserved.
CoZBatch[N]: version 2.2.0 2012-09-01
CoZBatch: executing progname=login-shell="-/bin/sh"
Connect via IdentityKeyRingLabel using SAF Certificate "* XXXX TECH SFTP"...
Executing: /products/isv/coz/bin/cozsftp -oIdentityKeyRingLabel="\"* XXXX TECH SFTP\"" -oConnectTimeout=60
-oServerAliveInterval=60 -oStrictHostKeyChecking=yes -b- Z083788@m982p021.lab.xxxxxx.com
Co:Z SFTP version: 2.2.0 (5.0p1) 2012-09-01
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
cozsftp> ls -al
ZosUtil: SSH process times: elapsed=5 secs, user cpu=0.090000 secs, sys cpu=0.020000 secs
Volume Referred Ext Tracks Used Recfm Lrecl BlkSz Dsorg Dsname
TS2059 2013/05/09 1 15 3 FB 80 6480 PO Z083788.PROFILE.LIB
TD203E+ 2013/05/02 1 1 1 U 0 6144 PS Z083788.SFTP.TESTFILE
TD600B+ 2013/05/09 1 9 1 VA 125 129 PS Z083788.SYPLEX01.SPFLOG1.LIST
TDH01E 2010/09/27 1 15 ? FB 80 32720 PO-E Z083788.UTILITY.LIB
VS Z083788.ZFS.SHARED
TD600B 2013/05/09 1 15 ? U 0 0 VS Z083788.ZFS.SHARED.DATA
CoZBatch: returning rc=exitcode=0
But if I run from user id Z083788 I have a problem
I have implemented the RACF CLASS(RDATALIB) and added a profile for my keyring and I am receiving:
CoZBatch[N]: Copyright (C) 2005-2009 Dovetailed Technologies LLC. All rights reserved.
CoZBatch[N]: version 2.2.0 2012-09-01
CoZBatch: executing progname=login-shell="-/bin/sh"
Connect via IdentityKeyRingLabel using SAF Certificate "A083788/* XXXX TECH SFTP"...
Executing: /products/isv/coz/bin/cozsftp -oIdentityKeyRingLabel="\"A083788/* XXXX TECH SFTP\"" -oConnectTimeout=60
-oServerAliveInterval=60 -oStrictHostKeyChecking=yes -b- Z083788@m982p021.lab.xxxxxx.com
Co:Z SFTP version: 2.2.0 (5.0p1) 2012-09-01
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
FOTS2920 zsshGetKeyFromRecord: Private key not available for certificate in key ring 'A083788/*' with label 'XXXX TECH
SFTP'
FOTS1373 Permission denied (publickey,password).
[28.102] Connection closed
CoZBatch: returning rc=exitcode=255
CoZBatch[N]: Copyright (C) 2005-2009 Dovetailed Technologies LLC. All rights reserved.
CoZBatch[N]: version 2.2.0 2012-09-01
CoZBatch: executing progname=login-shell="-/bin/sh"
Connect via IdentityKeyRingLabel using SAF Certificate "* XXXX TECH SFTP"...
Executing: /products/isv/coz/bin/cozsftp -oIdentityKeyRingLabel="\"* XXXX TECH SFTP\"" -oConnectTimeout=60
-oServerAliveInterval=60 -oStrictHostKeyChecking=yes -b- Z083788@m982p021.lab.xxxxxx.com
Co:Z SFTP version: 2.2.0 (5.0p1) 2012-09-01
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
cozsftp> ls -al
ZosUtil: SSH process times: elapsed=5 secs, user cpu=0.090000 secs, sys cpu=0.020000 secs
Volume Referred Ext Tracks Used Recfm Lrecl BlkSz Dsorg Dsname
TS2059 2013/05/09 1 15 3 FB 80 6480 PO Z083788.PROFILE.LIB
TD203E+ 2013/05/02 1 1 1 U 0 6144 PS Z083788.SFTP.TESTFILE
TD600B+ 2013/05/09 1 9 1 VA 125 129 PS Z083788.SYPLEX01.SPFLOG1.LIST
TDH01E 2010/09/27 1 15 ? FB 80 32720 PO-E Z083788.UTILITY.LIB
VS Z083788.ZFS.SHARED
TD600B 2013/05/09 1 15 ? U 0 0 VS Z083788.ZFS.SHARED.DATA
CoZBatch: returning rc=exitcode=0
But if I run from user id Z083788 I have a problem
I have implemented the RACF CLASS(RDATALIB) and added a profile for my keyring and I am receiving:
CoZBatch[N]: Copyright (C) 2005-2009 Dovetailed Technologies LLC. All rights reserved.
CoZBatch[N]: version 2.2.0 2012-09-01
CoZBatch: executing progname=login-shell="-/bin/sh"
Connect via IdentityKeyRingLabel using SAF Certificate "A083788/* XXXX TECH SFTP"...
Executing: /products/isv/coz/bin/cozsftp -oIdentityKeyRingLabel="\"A083788/* XXXX TECH SFTP\"" -oConnectTimeout=60
-oServerAliveInterval=60 -oStrictHostKeyChecking=yes -b- Z083788@m982p021.lab.xxxxxx.com
Co:Z SFTP version: 2.2.0 (5.0p1) 2012-09-01
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
FOTS2920 zsshGetKeyFromRecord: Private key not available for certificate in key ring 'A083788/*' with label 'XXXX TECH
SFTP'
FOTS1373 Permission denied (publickey,password).
[28.102] Connection closed
CoZBatch: returning rc=exitcode=255
Re: How do I share a RACF Certificate between multiple ids?
Hi Dave,
You can allow another userid (other than the owner) to use a keyring with the RDATALIB class.
For example:
PERMIT A083788.TECHSFTPRING.LST ID(A123456) ACC(UPDATE)
(You would also need to activate and RACLIST the RDATALIB class and defined this resource)
for more information, see "Permissions for using a Key Ring" - Slide 18 of the webinar: "IBM Ported Tools for z/OS: OpenSSH - Using Key Rings"
The slides and recording can be found in our archive: http://dovetail.com/webinars.html
You can allow another userid (other than the owner) to use a keyring with the RDATALIB class.
For example:
PERMIT A083788.TECHSFTPRING.LST ID(A123456) ACC(UPDATE)
(You would also need to activate and RACLIST the RDATALIB class and defined this resource)
for more information, see "Permissions for using a Key Ring" - Slide 18 of the webinar: "IBM Ported Tools for z/OS: OpenSSH - Using Key Rings"
The slides and recording can be found in our archive: http://dovetail.com/webinars.html
-
DaveMedema
- Posts: 3
- Joined: Thu May 09, 2013 7:20 am
Re: How do I share a RACF Certificate between multiple ids?
This is my RDATALIB defn from RACF so that Z083788 has update access to :
CLASS NAME
----- ----
RDATALIB A083788.TECHSFTPRING.LST
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 A083788 NONE ALTER NO
INSTALLATION DATA
USER ACCESS ACCESS COUNT
---- ------ ------ -----
A083788 ALTER 000000
Z083788 UPDATE 000000
CLASS NAME
----- ----
RDATALIB A083788.TECHSFTPRING.LST
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 A083788 NONE ALTER NO
INSTALLATION DATA
USER ACCESS ACCESS COUNT
---- ------ ------ -----
A083788 ALTER 000000
Z083788 UPDATE 000000
Re: How do I share a RACF Certificate between multiple ids?
I apologize, I didn't look are your problem closely enough 
The error that you are getting is from IBM Ported Tools ssh:
FOTS2920 zsshGetKeyFromRecord: Private key not available for certificate in key ring 'A083788/*' with label 'XXXX TECH
SFTP
Are you getting ICH408I messages? Since you are using "virtual key ring" syntax, then you may need to grant access to the virtual key ring:
PERMIT A083788.IRR_VIRTUAL_KEYRING.LST CLASS(RDATALIB) ID(XXXXX) ACC(UPDATE)
Note that this will grant ID XXXX to use any certificate in A083788's virtual key ring (i.e. any of his keys)
An alternative to using IBM Ported Tools' "IdentityKeyRingLabel" is to use the Co:Z saf-ssh-agent for key support, which has other advantages.
The example batch scripts that you are using will automatically use the saf-ssh-agent, but by default only if you don't have spaces in your key ring label.
So, if you can regenerate your key so that the label doesn't have spaces, and then the executed command will look like this:
.../cozsftp -k "A083788/*:MYLABEL" ...
If you can't regenerate your key, let me know and I'll show you how to work around this in the script so as to manually specify the "-k" option.
So, if neither of these suggestions work, please post your input script
The error that you are getting is from IBM Ported Tools ssh:
FOTS2920 zsshGetKeyFromRecord: Private key not available for certificate in key ring 'A083788/*' with label 'XXXX TECH
SFTP
Are you getting ICH408I messages? Since you are using "virtual key ring" syntax, then you may need to grant access to the virtual key ring:
PERMIT A083788.IRR_VIRTUAL_KEYRING.LST CLASS(RDATALIB) ID(XXXXX) ACC(UPDATE)
Note that this will grant ID XXXX to use any certificate in A083788's virtual key ring (i.e. any of his keys)
An alternative to using IBM Ported Tools' "IdentityKeyRingLabel" is to use the Co:Z saf-ssh-agent for key support, which has other advantages.
The example batch scripts that you are using will automatically use the saf-ssh-agent, but by default only if you don't have spaces in your key ring label.
So, if you can regenerate your key so that the label doesn't have spaces, and then the executed command will look like this:
.../cozsftp -k "A083788/*:MYLABEL" ...
If you can't regenerate your key, let me know and I'll show you how to work around this in the script so as to manually specify the "-k" option.
So, if neither of these suggestions work, please post your input script