Re: gskkyman & public key
Skippy, a number of misapprehensions in there. A certificate never "consists of a public and private key." A certificate contains a public key, and somewhere there is a corresponding private key. A PKCS12 package may contain both the certificate and the private key, but a certificate itself never contains a private key. No, the "public key" per se is not installed anywhere. If the FTP server will be presenting a server certificate, then the root certificate of the CA that signed that certificate must be installed and trusted on the client machine. (If the server certificate is self-signed, then it is its own CA, and it must be pre-installed and trusted on the client.) "When looking at a directory of certs, how can I find the public one?" is not a question that has an answer. "Public cert" is not a generally recognized concept. There are many, many ways that one might create a certificate, but the most common sort of approach would be (1) using gskkyman or RACF to create a certificate signing request, and then having (a.) a public CA who will charge you money; or (b.) PKI services run by your shop to sign it and issue a certificate; or (2) using RACF or gskkyman to create a self-signed certificate. Self-signed certificates are a whole topic of their own, but briefly, the plus is that they are free and easy; the minus is that they enjoy a certain amount of ill repute and will not be suitable in many scenarios. If you are going to be your own certificate expert then I think you need to start with some general education on how the certificate process works, and then proceed from there to specific, detailed questions on this list. There are a number of SHARE presentations that would be a starting point, or the RACF Sec Admin Guide, or perhaps one of the Redbooks. Otherwise you will need to retain the services of such an expert. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Skippy the Ancient Sent: Thursday, November 5, 2020 6:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: gskkyman & public key I am asking in regards to FTPS. I know gskkyman can create/import/export certs. The cert consists of a public and private key. I'm asking because it's my understanding that the public key should be loaded up and installed on a client computer. Is that correct? When looking at a directory full of certs, how can I find the public one? Or how do I create it? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: gskkyman & public key
Sorry FTPS - x.509 certs need to be exchanged and loaded onto the RACF keyring specified in the TLS rule in PAGENT and if you have client auth enabled the cert will need to be on the client PC/Device also -Original Message- From: IBM Mainframe Discussion List On Behalf Of Marshall Stone Sent: Thursday, November 5, 2020 9:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: gskkyman & public key Public keys need to be exchanged between partners - client stores it usually in a file called /etc/ssh/known_hosts - server stores public key in /u/userid/.ssh/authorized_keys MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Skippy the Ancient Sent: Thursday, November 5, 2020 9:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: gskkyman & public key I am asking in regards to FTPS. I know gskkyman can create/import/export certs. The cert consists of a public and private key. I'm asking because it's my understanding that the public key should be loaded up and installed on a client computer. Is that correct? When looking at a directory full of certs, how can I find the public one? Or how do I create it? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: gskkyman & public key
Public keys need to be exchanged between partners - client stores it usually in a file called /etc/ssh/known_hosts - server stores public key in /u/userid/.ssh/authorized_keys MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Skippy the Ancient Sent: Thursday, November 5, 2020 9:02 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: gskkyman & public key I am asking in regards to FTPS. I know gskkyman can create/import/export certs. The cert consists of a public and private key. I'm asking because it's my understanding that the public key should be loaded up and installed on a client computer. Is that correct? When looking at a directory full of certs, how can I find the public one? Or how do I create it? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: gskkyman & public key
I am asking in regards to FTPS. I know gskkyman can create/import/export certs. The cert consists of a public and private key. I'm asking because it's my understanding that the public key should be loaded up and installed on a client computer. Is that correct? When looking at a directory full of certs, how can I find the public one? Or how do I create it? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: gskkyman & public key
I have used gskkyman a lot but do not have it open at the moment. Do you see an option to create a Certificate Signing Request? A CSR would contain a public key. Your question only makes sense if I take it literally. The above is how to create a public key, which is what you asked. But to be useful, there must be a private key in the picture somewhere. A public key by itself is like a lock without a key. Where do you want the private key to be? (It will *not* be in the CSR but gskkyman should store it somewhere.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Skippy the Ancient Sent: Wednesday, November 4, 2020 8:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: gskkyman & public key How does one create a public key with gskkyman? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: gskkyman & public key
Now, if you're talking about SFTP, that's a whole different animal. And, I don't think gskkyman comes into play with that. Rather, you would use the ssh-keygen stuff. -Original Message- From: IBM Mainframe Discussion List On Behalf Of PINION, RICHARD W. Sent: Wednesday, November 4, 2020 11:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [Originated Externally]Re: gskkyman & public key [External Email. Exercise caution when clicking links or opening attachments.] I used the instructions from https://www3.rocketsoftware.com/bluezone/help/v52/en/bzadmin/bzd_aref_enable-ssl-on-z-os.htm I think that will detail the creation of keys and certificates. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Skippy the Ancient Sent: Wednesday, November 4, 2020 11:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: gskkyman & public key [External Email. Exercise caution when clicking links or opening attachments.] How does one create a public key with gskkyman? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: gskkyman & public key
I used the instructions from https://www3.rocketsoftware.com/bluezone/help/v52/en/bzadmin/bzd_aref_enable-ssl-on-z-os.htm I think that will detail the creation of keys and certificates. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Skippy the Ancient Sent: Wednesday, November 4, 2020 11:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: gskkyman & public key [External Email. Exercise caution when clicking links or opening attachments.] How does one create a public key with gskkyman? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
gskkyman & public key
How does one create a public key with gskkyman? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN