Your browser does not allow storing cookies. We recommend enabling them.


Certificates Stored in File

To configure Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:

  1. Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.

    Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.

    Example: Key generation and enrollment using ssh-cmpclient-g3:

    # ssh-cmpclient-g3 INITIALIZE \ 
       -p 62154:secret \
       -P generate://ssh2@rsa:1536/testserv-rsa \
       -s "C=FI,O=SSH,CN=testserv;" \
       -o /opt/tectia/etc/testserv-rsa \
       -S \ \
       'C=FI, O=SSH, CN=Test CA 1'

    For more information on ssh-cmpclient-g3 and ssh-scepclient-g3, see their man pages.

  2. Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:

    HostKeyFile              testserv-rsa.prv
    HostCertificateFile      testserv-rsa-0.crt
    HostKey.Cert.Required    no

    Setting the sshd2_config option HostKey.Cert.Required to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.

  3. Restart the server as instructed in Restarting and Stopping sshd2.

Want to see how PrivX can help your organisation?

Are you a DEVELOPER accessing cloud hosts, are you a IT ADMIN managing access & credentials in your corporation, are you BUSINESS MANAGER and want to save money or are you responsible of IT SECURITY in DevOps