What are the ACF2 equivalent commands to the RACF commands in "F.4 RACF Digital Certificate authentication"?
Also, what are the pros/cons to specifying ICSF for the certificate? We have a crypto coprocessor and SSL accelerator
ACF2 equivalent for Digital Certificate authentication
Re: ACF2 equivalent for Digital Certificate authentication
We don't document the command language for other security products. You would need to refer to Broadcom documentation for translation.
Regarding storing certificate private keys in ICSF. You can put the SAF keys in RACF (ACF2) keyrings, but putting them on a card via ICSF offers better protection - the same consideration as with any private key in a key ring. When you have your keys in a keyring, then ICSF will be used by z/OS OpenSSH for key operations. The performance of this is not usually a concern, since the key operation generally occurs once per session.
I would recommend that you look at the webinar "IBM Ported Tools for z/OS: OpenSSH - Using Key Rings" found near the bottom of this page: https://dovetail.com/webinars.html
You probably want to review the preceding webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" for background
These are both very useful for understanding how key authentication and key rings work on z/OS OpenSSH.
Regarding storing certificate private keys in ICSF. You can put the SAF keys in RACF (ACF2) keyrings, but putting them on a card via ICSF offers better protection - the same consideration as with any private key in a key ring. When you have your keys in a keyring, then ICSF will be used by z/OS OpenSSH for key operations. The performance of this is not usually a concern, since the key operation generally occurs once per session.
I would recommend that you look at the webinar "IBM Ported Tools for z/OS: OpenSSH - Using Key Rings" found near the bottom of this page: https://dovetail.com/webinars.html
You probably want to review the preceding webinar: "IBM Ported Tools for z/OS: OpenSSH - Key Authentication" for background
These are both very useful for understanding how key authentication and key rings work on z/OS OpenSSH.