Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
            Certificates Stored in File
            Certificates Stored in SAF
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Certificates Stored in File

To configure SSH Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:

  1. Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools. Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.Example: Key generation and enrollment using ssh-cmpclient-g3:
    # ssh-cmpclient-g3 INITIALIZE \ 
       -p 62154:secret \
       -P generate://ssh2@rsa:1536/testserv-rsa \
       -s "C=FI,O=SSH,CN=testserv;" \
       -o /opt/tectia/etc/testserv-rsa \
       -S \ \
       'C=FI, O=SSH, CN=Test CA 1'
    For more information on the ssh-cmpclient-g3 and ssh-scepclient-g3, see the man pages.
  2. Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:
    HostKeyFile              testserv-rsa.prv
    HostCertificateFile      testserv-rsa-0.crt
    HostKey.Cert.Required    no
    Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.
  3. Restart the server as instructed in Section Restarting sshd2.

For more information on the configuration file options, see sshd2_config.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now