Top Secret

Trying to set up Top Secret as the Mainframe key manager/keystore but having trouble finding a way to import existing keys in .ssh/authorized_keys and .ssh/known_hosts into Top Secret.

Ken,

As long as your product supports calling external security (CA Top Secret, CA ACF2, IBM RACF) for digital certificates, then there shouldn't be a problem.

There are two parts to this.

1. You need to customize your product to tell it to call external security, specify what the keyring name and certificate names that will be used for tjhose security calls.

2. In CA Top Secret, you will need to add the certificates to the security file, create the keyring on the user, and attach the certificate to the keyring.

The CA Top Secret doc has some examples on setting up digital certificates with the more popular products. The setup is generally the same between all products. Just the keyring names and certificate names are different.

What product will you be using with digital certificates?

Regards,

Joseph Porto - CA Level 1 Support

Therein lies my problem.  I have an SFTP setup which is using manually generated keys in the z/OS UNIX file system.  There are no certificates and nothing in CSF.  I need to take a key (not certificate) from .ssh/known_hosts and .ssh/authorized_keys and somehow get them into a certificate in Top Secret.  I am at a loss as to how to acomplish this.

Ken,

Great. Thank you. Have helped hundreds of client setup SSL with SFTP, so we are in familiar territory.

I suspect the keys you have in the directory are x509 formatted certificates which TSS should be able to import into the security file.

We need to FTP the certificates to a Variable Blocked DSORG=PS dataset. Depending on the v509 format we will need to FTP in binary or ASCII which is discussed in the following link.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec484087.aspx

I would create 2 datasets. FTP binary to one dataset and then ASCII to the other if you don't know which x509 format is being used.

Once you have them in a dataset, issue a TSS CHKCERT DCDSN(datasetname) against both of them. One will get an invalid certificate format message so we will know that is not the one we will be using. The other should display the attributes of the certificates and that is the dataset we will use to import to the security file.

Finally issues the following command:

TSS ADD(CERTAUTH) DIGICERT(digicertname) DCDSN(datasetname)   <--for a root certificate.

TSS ADD(CERTSITE) DIGICERT(digicertname) DCDSN(datasetname) <--for user/personal/client certificate

TSS ADD(CERTSITE) DIGICERT(digicertname) DCDSN(datasetname) PKCSPASS(password) <--for user/personal/client certificate that is password protected.

Issue a TSS LIST(CERTSITE) DIGICERT(digicertname) TSS LIST(CERTAUTH) DIGICERT(digicertname) to confirm that the certificate was added to the security file.

If you have problems, please open an ticket with support and we can pursue it in private. We don't want to be posting confidential site information here for everyone to see.

Regards,

Joseph Porto - CA Level 1 Support

Ken,

Just following up to see if you had a chance to look at my previous update and if there are any questions.

Regards,

Joseph Porto - CA Level 1 Support

It appears that the generated keys I want to import are in RFC4716 format (format used by ssh-keygen) which do not appear to be importable by Top Secret unless you know of some way I can change the format.  OpenSSH can create a certificate, however, the doc states they cannot be stored in a keyring.

Note: OpenSSH certificates are a different, and much simpler, format to the X.509
certificates used in SSL / TLS. Unlike individual user/host keys, which may be
stored in a SAF key ring, SSH certificates may not be stored in SAF key ring.

I dont think we support RFC4716 but double checking with Level 2 and will get back to you.

Regards,

Joseph Porto - CA Level 1 Support

Not sure if this will help, but if TS doesn't support try importing the keys into the SYS1.TCPPARM file on each system and then submit a Test SFTP to ensure it works.  

There is a way to get a certificate but it must be done on the system where the SSH private keys are ! So on the linux hosts where the private keys are stored. You can create an x509 self signed cert from the SSH private key:

   openssl req -x509 -key ssh_private_key -new -out cert.crt -days 3650

This would generate that cert.crt that basically links the private key used for SSH to the certificate.