Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
        ssh-socks-proxy >>
        ssh-socks-proxy-config >>
        ssh-socks-proxy-ctl >>
        ssh-certview >>
        ssh-cmpclient >>
        ssh-keydist2 >>
        ssh-scepclient >>
    Log Messages >>


The following examples illustrate the use cases of ssh-cmpclient. If there is a firewall between the client and the CA server, you may need to provide a complete SOCKS server URL in addition to the options given (for example, -S

Initial Certificate Enrollment

This example provides commands for enrolling an initial certificate for digital signature use. It generates a private key into a PKCS #8 plaintext file named initial.prv, and stores the enrolled certificate into file initial-0.crt. The user is authenticated to the CA with the key identifier (refnum) 62154 and the key secret. The subject name and alternative IP address are given, as well as key-usage flags. The CA address is, the port 8080, and the CA name to access is Test CA 1.

$ ssh-cmpclient INITIALIZE \
   -p 62154:secret \
   -P generate://pkcs8@rsa:1024/initial \ 
   -s 'C=FI,O=SSH,CN=Example/initial;IP=' -u digitalsignature \
   -o initial \ \
   'C=FI, O=SSH, CN=Test CA 1'

As a response the command presents the issued certificate to the user, and the user accepts it by typing yes at the prompt.

Certificate =
  SubjectName = <C=FI, O=SSH, CN=Example/initial>
  IssuerName = <C=FI, O=SSH, CN=Test CA 1>
  SerialNumber= 8017690
  SignatureAlgorithm = rsa-pkcs1-sha1
  Validity = ...
  PublicKeyInfo = ...
  Extensions =
      Viewing specific name types = IP =
    KeyUsage = DigitalSignature
    CRLDistributionPoints = ...
    AuthorityKeyID =
      KeyID = 3d:cb:be:20:64:49:16:1d:88:b7:98:67:93:f0:5d:42:81:2e:bd:0c
    SubjectKeyID =
      KeyId = 6c:f4:0e:ba:b9:ef:44:37:db:ad:1f:fc:46:e0:25:9f:c8:ce:cb:da
  Fingerprints =
    MD5 = b7:6d:5b:4d:e0:94:d1:1f:ec:ca:c2:ed:68:ac:bf:56
    SHA-1 = 4f:de:73:db:ff:e8:7d:42:c4:7d:e1:79:1f:20:43:71:2f:81:ff:fa

Do you accept the certificate above? yes

Key update

Before the certificate expires, a new certificate with updated validity period should be enrolled. ssh-cmpclient supports key update, where new private key is generated and the key update request is authenticated with the old (still valid) certificate. The old certificate is also used as a template for issuing the new certificate, so the identity of the user will not be changed during the key update. With the following command you can update the key pair, which was enrolled in the previous example. Presenting the result certificate has been left out.

$ ssh-cmpclient UPDATE \
   -c initial-0.crt -k initial.prv \
   -P generate://pkcs8@rsa:1024/updatedcert \
   -o updatedcert \ \
   'C=FI, O=SSH, CN=Test CA 1'

The new key pair can be found in the files with the updatedcert prefix. The policy of the issuing CA needs to also allow automatic key updates if ssh-cmpclient is used in the UPDATE mode.

Certificate Enrollment for Private Key Stored in SAF

This example shows a command for enrolling a certificate for a private key that is stored in the user's key ring in SAF. The user is authenticated to the CA with the key identifier (refnum) 18437 and the key test. The key provider and the initialization string are given with the -Z option. The URL to the private key is given with the -P option. The certificate is stored in file test_1024_non-icsf-0.crt. The subject name is also given (CN=Newuser). The CA address is, the port 8080, and the CA name to access is Test CA 1.

$ ssh-cmpclient INITIALIZE \
   -p 18437:test \
   -Z 'zos-saf:keys(ring(TESTUSER1))' \
   -P 'zos-saf://0/TEST/TESTUSER1/TEST 1024 NON-ICSF' \
   -s 'CN=Newuser' \
   -o test_1024_non-icsf \ \
   'C=FI, O=SSH, CN=Test CA 1'

To get the value for the external key URL for the -P option, run ssh-ekview on the key ring, for example:

ssh-ekview -i "keys(ring(TESTUSER1))" zos-saf

See ssh-ekview for more information.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more