We're looking to begin a migration process of our existing ssh-keygen created keypair authentication based environment into RACF. We know that we can generate new certificates within RACF and distribute the public piece of the certificate to our partners, but we'd really like to use the existing private keys for all if our existing sftp processes.
I've successfully converted an id_rsa private key into a format that RACF happily imported into my keyring, but when I attempt to use it I'm getting this error;
SafSshAgent[E]: gsk_sign_data error: Key not supported by encryption or signature algorithm (0x03353030)
The certificate looks like this;
Label: AIMJ3.SSHCERT.cer
Certificate ID: 2QXBydTR88HJ1NHzS+LiyMPF2eNLg4WZ
Status: TRUST
Start Date: 2012/10/25 11:21:04
End Date: 2012/11/24 11:21:04
Serial Number:
>0087AD50235889EF46<
Issuer's Name:
>mark.jacobs@custserv.com.CN=Mark Jacobs.OU=Time Customer Service.O=Ti<
>me Inc.L=Tampa.SP=Florida.C=US<
Subject's Name:
>mark.jacobs@custserv.com.CN=Mark Jacobs.OU=Time Customer Service.O=Ti<
>me Inc.L=Tampa.SP=Florida.C=US<
Private Key Type: None
Ring Associations:
Ring Owner: AIMJ3
Ring:
>User.aimj3.SSL.CRT<
This is how I converted the private key
//COZPROC EXEC COZPROC,ARGS='mark@10.176.151.44'
//STDIN DD *
fromfile -ssh aimj@tcs1 /u/aimj3/.ssh/id_rsa > /tmp/id_rsa.zos
openssl req -new -x509 -key /tmp/id_rsa.zos \
-out /tmp/id_rsa.zos.der -outform DER \
-days 90
US
Florida
Tampa
Time Inc
Time Customer Service
Mark Jacobs
mark.jacobs@custserv.com
cat /tmp/id_rsa.zos.der | \
tofile -b -ssh aimj@tcs1 /u/aimj3/.ssh/id_rsa.der
Import ssh-keygen private key into RACF Keyring
Re: Import ssh-keygen private key into RACF Keyring
The problem I believe is that your openssl command is actually creating a PKCS10 package (cert signing request), which does not have a private key.
What you need is a PKCS12 package, which you can create from an SSH private key file with the following two commands:
openssl req -new -x509 -key test2.rsa -out sshcert2.pkcs10 -outform PEM -days 90
openssl pkcs12 -export -in sshcert2.pkcs10 -inkey test2.rsa -out sshcert2.pkcs12
Then, you can transfer the PKCS12 file to a dataset and then add it as a certificate with RACDCERT.
You may wish to put a password on the PKCS12 dataset (generate a random one in this script), since it will have sensitive private key material.
Also, a little off topic, but I don't see why you are using "-ssh aimj@tcs1" on your fromfile command. By default, fromfile will reach back into the launching z/OS system. Is tcs1 a different system?
Also, you would of course want to make sure somehow that the temporary id_rsa file is protected during this process.
So, its a pain to convert private keys
Its best IMO if you can to generate them once on the client system into secure key storage and not move them. On z/OS, I like to use RACF and ICSF.
What you need is a PKCS12 package, which you can create from an SSH private key file with the following two commands:
openssl req -new -x509 -key test2.rsa -out sshcert2.pkcs10 -outform PEM -days 90
openssl pkcs12 -export -in sshcert2.pkcs10 -inkey test2.rsa -out sshcert2.pkcs12
Then, you can transfer the PKCS12 file to a dataset and then add it as a certificate with RACDCERT.
You may wish to put a password on the PKCS12 dataset (generate a random one in this script), since it will have sensitive private key material.
Also, a little off topic, but I don't see why you are using "-ssh aimj@tcs1" on your fromfile command. By default, fromfile will reach back into the launching z/OS system. Is tcs1 a different system?
Also, you would of course want to make sure somehow that the temporary id_rsa file is protected during this process.
So, its a pain to convert private keys
Its best IMO if you can to generate them once on the client system into secure key storage and not move them. On z/OS, I like to use RACF and ICSF.Re: Import ssh-keygen private key into RACF Keyring
Thanks. I'll try your conversion commands.
I agree that it'll be best to create any new certificate pairs using RACF and ICSF,. but we didn't want to generate new pairs for existing processes since it would be a logistical nightmare to send the new public keys to our many external sftp file transfer clients.
Mark Jacobs
I agree that it'll be best to create any new certificate pairs using RACF and ICSF,. but we didn't want to generate new pairs for existing processes since it would be a logistical nightmare to send the new public keys to our many external sftp file transfer clients.
Mark Jacobs