Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
        ssh-socks-proxy >>
        ssh-socks-proxy-config >>
        ssh-socks-proxy-ctl >>
        ssh-certview >>
        ssh-cmpclient >>
        ssh-keydist2 >>
        ssh-scepclient >>
    Log Messages >>


  • -o prefix

    Saves output certificates into files with the given prefix. The prefix is first appended by a number, followed by the file extension .ca for CA certificates or .crt for user certificates.

  • -S url

    Specifies the SOCKS URL if the CA is located behind a SOCKS-enabled firewall. The format of the URL is: socks://[username@]server[:port][/network/bits[,network/bits]]

  • -H url

    Uses the given HTTP proxy server to access the CA. The format of the URL is: http://server[:port]/.

  • -N file

    Specifies a file to be used as an entropy source during key generation.

  • -Z provspec

    Specifies an external key provider for the private key. The value of provspec is "provider:initstring". Currently, the only valid value for provider is zos-saf. For the format of the initstring, see Appendix ssh-externalkeys. Example:

    "zos-saf:keys(ring(SSH2-KEYS) label('U313 KEY1'))"

The usage line utilizes the following meta commands:

  • psk

    The pre-shared key given by the CA or RA, or a revocation password invented by the client and provided to the CA when the user wishes to revoke the certificate issued. The type and need for this depends on the PKI platform used by the CA.

    • -p key

      An authentication password or a revocation password transferred (in encrypted format) to the CA for certification request or revocation request authorization purposes.

  • keypair

    The subject key pair to be certified.

    • -P url

      URL specifying the private key location. This is an external key URL whose format is specified in Section Synopsis.

  • ca

    The CA/RA certificates.

    • -C file

      When performing enrollment, reads the CA certificate from the given file path.

    • -E file

      Optionally specifies the RA encryption certificate.

    • -V file

      Optionally specifies the RA signing certificate.

  • template

    The subject name and flags to be certified.

    • -T file

      The file containing the certificate used as the template for the operation. Values used to identify the subject are read from this, but the user may overwrite the key, key-usage flags, or subject names.

    • -s subject-ldap[;type=value]*

      A subject name in reverse LDAP format, that is, the most general component first, and alternative subject names. The name subject-ldap will be copied into the request verbatim.

      A typical choice would be a DN in the format "C=US,O=SSH,CN=Some Body", but in principle this can be anything that is usable for the resulting certificate.

      The possible type values are ip, email, dn, dns, uri, and rid.

    • -u key-usage-name[;key-usage-name]*

      Requested key usage purpose code. The following codes are recognized: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly, and help. The special keyword help lists the supported key usages which are defined in RFC 3280.

    • -U extended-key-usage-name[;extended-key-usage-name]*

      Requested extended key usage code. The following codes, in addition to user-specified dotted OID values are recognized: serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, ikeIntermediate, and smartCardLogon.

  • access

    Specifies the address of the CA in URL format. If the host address is an IPv6 address, it must be enclosed in brackets (http://[IPv6-address]:port/).

  • name

    Specifies the destination CA name.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more