SSH Tectia Server for IBM z/OS includes two implementations of certificate authentication. One is based on keys and X.509 certificates in files and software cryptography. This is the same implementation that is available in SSH Tectia products on other platforms. The other is based on keys and certificates managed by the z/OS System Authorization Facility (SAF) and cryptographic operations handled by the z/OS Integrated Cryptographic Service Facility (ICSF).
The server can be configured to allow or require certificate-based user authentication. To use SAF certificates, a trusted key provider must be configured. The users must be set up with digital certificates.
When using a certificate, the client can start authentication without presenting a username. If the username given by the user matches the value of the IdentityDispatchUsers option in the server configuration, the name retrieved from SAF will be used. However, it is not allowed to change the user ID during the authentication process. For example, if the server requires first certificate authentication and then password authentication, the user must give the password for the user that SAF determines from the certificate.
SAF determines the z/OS username using one-to-one certificate to user ID association, certificate name filtering, or the HostIdMappings certificate extension. SSH Tectia Server for IBM z/OS does not participate in this processing.
The server checks the user certificate using SAF and can be configured to do a full PKI validation using the SSH Tectia Certificate Validator.