SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
To configure Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:
Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.
Example: Key generation and enrollment using ssh-cmpclient-g3:
# ssh-cmpclient-g3 INITIALIZE \ -p 62154:secret \ -P generate://ssh2@rsa:1536/testserv-rsa \ -s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \ -o /opt/tectia/etc/testserv-rsa \ -S http://fw.example.com:1080 \ http://pki.example.com:8080/pkix/ \ 'C=FI, O=SSH, CN=Test CA 1'
For more information on ssh-cmpclient-g3 and ssh-scepclient-g3, see their man pages.
HostKeyFile testserv-rsa.prv HostCertificateFile testserv-rsa-0.crt HostKey.Cert.Required no
HostKey.Cert.Required option to
yes defines that the server must authenticate with a
certificate. When keys in file are used, a certificate must be defined with
HostCertificateFile option. Setting the option to
no (default) means that the server can use either a normal
public key or a certificate, depending on which of them is configured.
Setting the option to
optional means that the server can
use both a certificate and the public key found in the certificate.
Restart the server as instructed in Restarting and Stopping sshd2.
For more information on the configuration file options, see