Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
        Using the z/OS System Authorization Facility
        Server Authentication with Public Keys in File >>
        Server Authentication with Certificates >>
            Certificates Stored in File
            Certificates Stored in SAF
        User Authentication with Passwords
        User Authentication with Public Keys in File >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Certificates Stored in File

To configure SSH Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:

  1. Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools. Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.Example: Key generation and enrollment using ssh-cmpclient-g3:
    # ssh-cmpclient-g3 INITIALIZE \ 
       -p 62154:secret \
       -P generate://ssh2@rsa:1536/testserv-rsa \
       -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
       -o /opt/tectia/etc/testserv-rsa \
       -S http://fw.example.com:1080 \
       http://pki.example.com:8080/pkix/ \
       'C=FI, O=SSH, CN=Test CA 1'
    
    For more information on the ssh-cmpclient-g3 and ssh-scepclient-g3, see the man pages.
  2. Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:
     
    HostKeyFile              testserv-rsa.prv
    HostCertificateFile      testserv-rsa-0.crt
    HostKey.Cert.Required    no
    
    Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.
  3. Restart the server as instructed in Section Restarting sshd2.

For more information on the configuration file options, see sshd2_config.

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===