To configure SSH Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:
Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools. Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.Example: Key generation and enrollment using ssh-cmpclient-g3:
For more information on the ssh-cmpclient-g3 and ssh-scepclient-g3, see the man pages.
Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:
Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.