Your browser does not allow storing cookies. We recommend enabling them.


Using the z/OS System Authorization Facility

Tectia Server for IBM z/OS supports X.509 certificates and RSA keys managed by the z/OS System Authorization Facility (SAF). See Certificates Stored in SAF and Certificates Stored in SAF. If SAF keys are going to be used, the users need permissions to access the relevant facilities.

Tectia Server for IBM z/OS uses the Integrated Cryptographic Services Facility (ICSF)if the UseCryptoHardware configuration variable allows it(see Crypto Hardware Support)or keys and certificates are stored in the System Authorization Facility (SAF) and the keys are of type ICSF or PCICC (see Certificates Stored in SAF and Certificates Stored in SAF). SAF will control the use of cryptographic services if the CSFSERV class is activated and will control the access to cryptographic keys if the CSFKEYS class is activated.

When using SAF private keys, the server or client user needs access to the CSFDSG resource in the CSFSERV class. The private keys can be secured by permitting access to a resource in the CSFKEYS class. The name of the resource is the label of the key in the ICSF key database.

See the IBM document z/OS ICSF Administrator's Guide, chapter "Controlling Who Can Use Cryptographic Keys and Services" for instructions on how to use generic resource names, how to give permissions to user groups and connect users to groups, and how to define auditing.

The users (including the SSHD2 user) must have at least READ access to the IRR.DIGTCERT.LISTRING facility. If a user needs access to a key ring belonging to another user, he must have UPDATE access to the facility. This case will arise when using a KnownHostsEkProvider for checking host certificates, because host certificates are best entered as SITE keys and are not owned by the verifier.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more