Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.
SSH Tectia Server for IBM z/OS can be configured to support either public-key or certificate authentication. With certificate authentication, the private key and certificate can be stored either in SAF or in file.
It is also possible to configure the server to use a key from SAF and use only the public key extracted from the certificate for authentication.
If a SAF key is configured but the key cannot be found or ICSF is required but not available, the server will issue an error message and will not start up.
Certificates Stored in File
To configure SSH Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:
Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient or ssh-scepclient command-line tools. Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.Example: Key generation and enrollment using ssh-cmpclient:
Define the private key and the server certificate in the /etc/ssh2/sshd2_config file, for example, using the key and certificate created above:
Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured.
Note that HostKeyEkInitString must point to a single private key. Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When the z/OS SAF provider is used, setting the option to no means that only the public key found in the SAF certificate is used.
For more information on the configuration file options, see sshd2_config. For information on the format of the external key initialization string, see ssh-externalkeys.