RACF Questions

[keer1gl]

I am setting up secured transfer of encrypted data from scratch on a z/OS 2.2 system. Initially we did not have either ICSF or OpenSSH configured. I do have to PTF for OA45548 appleied. I have succesfully used interactive sftp and am now trying to do batch sftp of a MVS data sets using COZSFTP. I have two RACF related questions.

CPU use seems high for the small amount of data being processed. Neither the CSFSERV or CSFKEYS classes are active. Would activating these classes reduce CPU use?

I received "SafSshAgentÝE¨: Access to keyring: '/etc/ssh/ssh_host_rsa_key.pub' denied, SAF access to FACILITY/IRR.DIGTCERT.LISTRING is required" on my first attempt at running a COZSFTP job. I used the z/OS OpenSSH - Quick Install Guide as my template. It states that keys can be stored in UNIX files or SAF/RACF keyrings. My intent was just to use files. I did not overtly do anything to get RACF involved so directly. The FACILITY class is active, but there are no IRR. profiles defined and I do not see any generic rules that would apply. Is using IRR.DIGTCERT.LISTRING required?

[dovetail]

This message:
SafSshAgent[E]: Access to keyring: '/etc/ssh/ssh_host_rsa_key.pub' denied, SAF access to FACILITY/IRR.DIGTCERT.LISTRING is required

means that you are trying to use a Unix key file as if it were a RACF keyring certificate.

If you have created a user private key and you want to use it to authenticate the user, then either:

a) name it $HOME/.ssh/id_rsa (assuming it is an rsa key)
b) explicitly point to your custom name using: -oIdentityFile=/path/to/mykey.rsa

Note: /etc/ssh/ssh_host_rsa_key.pub is the ssh server public key. It makes no sense to try to use this as a user private key.

For more information, please watch these webinar recordings:
https://dovetail.com/webinars.html

IBM Ported Tools for z/OS: OpenSSH - Using Key Rings (part 1)
IBM Ported Tools for z/OS: OpenSSH - Key Authentication (part 2)