SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Using SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Examples of Use >>
    Man Pages >>
        scp2
        sftp2
        ssh-add2
        ssh-agent2
        ssh-certd
        ssh_certd_config
        ssh-certview >>
        ssh-cmpclient >>
        ssh-dummy-shell
        ssh-ekview
        ssh-externalkeys
        ssh-keygen2
        ssh-probe2
        ssh-scepclient >>
        ssh-sft-stage
        ssh2
        ssh2_config
        sshd-check-conf
        sshd2
        sshd2_config
        sshd2_subconfig
        sshregex
    Log Messages >>

ssh-externalkeys

SSH-EXTERNALKEYS(5)            SSH2           SSH-EXTERNALKEYS(5)


DESCRIPTION
       This  document  contains  general  information about using
       external keys with SSH Tectia Server for IBM z/OS.


USING EXTERNAL KEYS
       For applications  capable  of  using  external  keys,  two
       strings  need  to  be specified: the provider name and the
       initialization string for the provider. These strings  can
       be  given  on the command line or in a configuration file,
       depending  on  the  application.  The  following   section
       describes   the  different  providers  available  in  more
       detail.

       The provider name and/or the initialization string may  be
       defined in the following configuration keywords:

       In ssh2_config:

              EkInitString="initstring"
              EkProvider="provider"
              HostCAEkProvider="provider:initstring"
              HostCAEkProviderNoCRLs="provider:initstring"
              HostKeysEkProvider="provider:initstring"


       In sshd2_config:

              AuthorizationEkProvider="provider:initstring"
              HostKeyEkInitString="initstring"
              HostKeyEkProvider="provider"
              KnownHostsEkProvider="provider:initstring"


       In ssh_certd_config:

              HostCAEkProvider="provider:initstring"
              HostCAEkProviderNoCRLs="provider:initstring"
              PkiEkProvider="provider:initstring"


EXTERNAL KEY PROVIDERS
       zos-saf

              The  zos-saf  provider  is  used for accessing keys
              stored in the IBM z/OS System Authorization  Facil-
              ity (SAF).

              The  initialization string for the zos-saf provider
              specifies the key(s) to be used and it has the fol-
              lowing components:

              {KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}...

              KEYS(..) may repeat. The subattributes are:

              ID - A SAF user id signifying the owner of the  key
              ring. If missing, the current user's id is used.

              RING - Key ring name. Mandatory.

              LABEL  - The SAF key label. If missing, and DEFAULT
              is missing, use all the keys in the key ring.

              DEFAULT  - Use  the  key  that  is  marked  as  the
              default  key  on  the  key  ring.  Do  not  specify
              together with LABEL.

              The   initialization   string  specified  with  the
              HostKeyEkInitString keyword  of  sshd2_config  must
              point to a single private key. If the key ring con-
              tains several keys, LABEL must be used  to  distin-
              guish between the keys.

              When using a trusted key provider and the SSH  Tec-
              tia  Certificate  Validator, specify KEYS variables
              that include all the CA  certificates  needed,  for
              example:

              PkiEkProvider="zos-saf"
              PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))
                               KEYS(ID(SSHTEST) RING(Internal.CAs))"

              The  EkInitString  keyword  of  ssh2_config and the
              AuthorizationEkProvider keyword of sshd2_config can
              contain  special  strings  in the key specification
              that are mapped according the following list:

              %U = user name

              %IU = user ID

              %IG = user group ID


AUTHORS
       SSH Communications Security Corp.

       For more information, see http://www.ssh.com.


SEE ALSO
       ssh-certd(8),  ssh2(1),   sshd2(8),   ssh_certd_config(5),
       ssh2_config(5), sshd2_config(5).

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2006 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice