![]() ![]() |
To configure Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:
Enroll a certificate for the server. This can be done, for example, with the
ssh-cmpclient-g3
orssh-scepclient-g3
command-line tools.Note that the DNS address extension (
dns
) in the certificate needs to correspond to the fully qualified domain name of the server.Example: Key generation and enrollment using
ssh- cmpclient-g3
:# ssh-cmpclient-g3 INITIALIZE \ -p 62154:secret \ -P generate://ssh2@rsa:1536/testserv-rsa \ -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \ -o /opt/tectia/etc/testserv-rsa \ -S http://fw.example.com:1080 \ http://pki.example.com:8080/pkix/ \ 'C=FI, O=SSH, CN=Test CA 1'
For more information on the
ssh-cmpclient-g3
andssh-scepclient-g3
, see the man pages.Define the private key and the server certificate in the
/opt/tectia/etc/sshd2_config
file, for example, using the key and certificate created above:HostKeyFile testserv-rsa.prv HostCertificateFile testserv-rsa-0.crt HostKey.Cert.Required no
Setting the
HostKey.Cert.Required
option toyes
defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with theHostCertificateFile
option. Setting the option tono
(default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option tooptional
means that the server can use both a certificate and the public key found in the certificate.Restart the server as instructed in Restarting and Stopping
sshd2
.
For more information on the configuration file options, see sshd2_config
.