Set up collective security using SAF key rings and certificates for SSH on the z/OS operating system
We can set up collective security by configuring the collective controller and its members with System Authorization Facility (SAF) certificates and key rings. The Liberty collectiveController-1.0 feature enables the default use of a single collective-wide SSH key pair for authentication between the controller and its members.
We can administer the collective with Admin Center without requiring an Angel, bbgzangl and bbgzsrv procedural templates, or z/OS authorized services.
Collective security with SAF for SSH on z/OS supports the following authentication flows between the controller and its members.
- Member to controller communication flow
-
- The member sends the personal certificate from the server identity keystore to the controller.
- The controller verifies the certificate chain of the member's personal certificate by checking for the signer certificate in the collective trust keystore.
- The controller confirms the member personal certificate is a collective certificate. It checks that the member personal certificate DN value matches the value that the collectiveCertificate rdn tag specifies in the controller server.xml file.
- Controller to member communication flow
-
- The controller sends the personal certificate from the server identity keystore to the member.
- The member verifies the certificate chain of the controller's personal certificate by checking for the signer certificate in the collective trust keystore.
- The member confirms the controller personal certificate is a collective certificate. It checks that the member personal certificate DN value matches the value that the collectiveCertificate rdn tag specifies in the member server.xml file.
- Controller SSH flow
-
- A pair of RSA keys is generated on server startup at ${server.config.dir}/resources/security/ssh.
- The public key is added to the controller ~/.ssh/ authorized_keys file.
- For operations such as start server and stop server, the controller authenticates the SSH public key to connect to the member system. The private key is obtained from the controller CollectiveSSH personal certificate.