Collective-wide SSH key configuration

The Liberty collectiveController-1.0 feature enables the default use of a single collective-wide SSH key pair for authentication between controllers and members/hosts. This collective-wide key pair is generated by default.


Pre-existing keys

Instead of using the default pair, we can specify a set of pre-existing keys to be used by the collective framework for SSH activity.

See the following examples for sets of pre-existing keys.

File-based keys: 

    collective create controller 
    --keystorePassword=key_store_password 
    --sshPrivateKey=path_to_private_key 
    --sshPrivateKeyPassword=private_key_password 
    --sshPublicKey=path_to_public_key

Non-file-based keys on z/OS: 

    collective create controller 
    --keystorePassword=key_store_password 
    --safKeyring=safkeyring://keyring_name 
    --safCertificateLabel=saf_certificate_label

    collective create controller 
    --keystorePassword=key_store_password 
    --safKeyring=safkeyringhw://keyring_name 
    --safCertificateLabel=saf_certificate_label 
    --safKeystoreType=JCECCARACFKS 
    --safKeystoreProvider=IBMJCECCA

    collective create controller 
    --keystorePassword=key_store_password 
    --safKeyring=safkeyringhybrid://keyring_name 
    --safCertificateLabel=saf_certificate_label 
    --safKeystoreType=JCEHYBRIDRACFKS 
    --safKeystoreProvider=IBMJCEHYBRID

The previous commands generate the following configuration elements, which override collective host information:

File-based keys: 

    <collectiveHostAuthInfo 
     sshPrivateKeyPath="path_to_private_key"
     sshPublicKeyPath="path_to_public_key"
     sshPrivateKeyPassword="private_key_password"/>

Non-file-based keys on z/OS: 

    <collectiveHostAuthInfo
     safKeyring="safkeyring://keyring_name"
     safCertificateLabel="saf_certificate_label"/>

    <collectiveHostAuthInfo
     safKeyring="safkeyringhw://keyring_name"
     safCertificateLabel="saf_certificate_label"
     safKeystoreType="JCECCARACFKS"
     safKeystoreProvider="IBMJCECCA"/>

    <collectiveHostAuthInfo
     safKeyring="safkeyringhybrid://keyring_name"
     safCertificateLabel="saf_certificate_label"
     safKeystoreType="JCEHYBRIDRACFKS"
     safKeystoreProvider="IBMJCEHYBRID"/>


z/OS notes

When using non-file-based keys on z/OS, the safKeystoreType and safKeystoreProvider entries are optional. We can specify the safKeystoreType attribute and omit the safKeystoreProvider attribute. If the safKeystoreProvider attribute is omitted, the system picks the appropriate provider based on the provider order of preference that is established through Java API calls or through the java.security file.

The following options are supported for the safKeystoreType attribute, the safKeystoreProvider attribute, and the safKeyring URL prefixes in respective order:

  • safKeystoreType: JCERACFKS, JCECCARACFKS, and JCEHYBRIDRACFKS.
  • safKeystoreProvider: IBMJCE, IBMJCECCA, and IBMJCEHYBRID.
  • safKeyring URL prefixes: safkeyring://, safkeyringhw://, and safkeyringhybrid://.

    Prefixes of safkeyring:///, safkeyringhw:///, and safkeyringhybrid:/// are also allowed.

For more information about the IBMJCECCA provider, see IBM z Platform Java Security Frequently Asked Questions. For more information about the IBMJCEHYBRID provider, see IBM JCE Hybrid Provider Reference Guide.


Configuration Attributes

    sshPrivateKeyPath

    Path and file name of the existing user specified private key file. If set, the sshPublicKeyPath attribute must also be configured. If not set, the controller will either use SAF authentication if configured, or generate an SSH key pair at the default location...

    sshPublicKeyPath

    Path and file name of the existing user specified public key file. If set, the sshPrivateKeyPath attribute must also be configured. If not set, the controller will either use SAF authentication if configured, or generate an SSH key pair at the default location...

    sshPrivateKeyPassword

    Password for the private key. This attribute has no default value.

    safKeyring

    Existing SAF key ring to use for the collective-wide SSH key pair. The specified URL location of the key ring must be in the format required for the keystore type. Use safkeyring://keyring_name or safkeyring:///keyring_name for the JCERACFKS keystore type. Use safkeyringhw://keyring_name or safkeyringhw:///keyring_name for the JCECCARACFKS keystore type. Use safkeyringhybrid://keyring_name or safkeyringhybrid:///keyring_name for the JCEHYBRIDRACFKS keystore type.

    If set, the safCertificateLabel attribute must also be configured. If not set, the controller will either use a configured SSH key pair, or generate an SSH key pair at the default location ${server.output.dir}/resources/security/ssh.

    safCertificateLabel

    Existing SAF Certificate Label. If set, the safKeyring attribute must also be configured. If not set, the controller will either use a configured SSH key pair, or generate an SSH key pair at the default location ${server.output.dir}/resources/security/ssh.

    safKeystoreType

    Type of keystore used when processing the key ring under the safKeyring attribute. Valid keystore types are JCERACFKS, JCECCARACFKS, and JCEHYBRIDRACFKS. This attribute is optional. If a keystore type is not specified, the JCERACFKS keystore type is used.

    safKeystoreProvider

    Keystore provider used when processing the keystore that is associated with the key ring under the safKeyring attribute. The allowed providers are IBMJCE, IBMJCECCA, and IBMJCEHYBRID. This attribute is optional. By default, no provider is used. The system picks the most appropriate provider based on provider setup.