Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

Tectia

Certificates Stored in File

To configure Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:

  1. Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.

    Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.

    Example: Key generation and enrollment using ssh- cmpclient-g3:

    # ssh-cmpclient-g3 INITIALIZE \ 
       -p 62154:secret \
       -P generate://ssh2@rsa:1536/testserv-rsa \
       -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
       -o /opt/tectia/etc/testserv-rsa \
       -S http://fw.example.com:1080 \
       http://pki.example.com:8080/pkix/ \
       'C=FI, O=SSH, CN=Test CA 1'
    

    For more information on the ssh-cmpclient-g3 and ssh-scepclient-g3, see the man pages.

  2. Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:

    HostKeyFile              testserv-rsa.prv
    HostCertificateFile      testserv-rsa-0.crt
    HostKey.Cert.Required    no
    

    Setting the HostKey.Cert.Required option to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.

  3. Restart the server as instructed in Restarting and Stopping sshd2.

For more information on the configuration file options, see sshd2_config.

===AUTO_SCHEMA_MARKUP===