Your browser does not allow storing cookies. We recommend enabling them.


Certificates Stored in File

To configure Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from file, perform the following tasks:

  1. Enroll a certificate for the server. This can be done, for example, with the ssh-cmpclient-g3 or ssh-scepclient-g3 command-line tools.

    Note that the DNS address extension (dns) in the certificate needs to correspond to the fully qualified domain name of the server.

    Example: Key generation and enrollment using ssh-cmpclient-g3:

    # ssh-cmpclient-g3 INITIALIZE \ 
       -p 62154:secret \
       -P generate://ssh2@rsa:2048/testserv-rsa \
       -s "C=FI,O=SSH,CN=testserv;" \
       -o /opt/tectia/etc/testserv-rsa \
       -S \ \
       'C=FI, O=SSH, CN=Test CA 1'

    For more information on ssh-cmpclient-g3 and ssh-scepclient-g3, see their man pages.

  2. Define the private key and the server certificate in the /opt/tectia/etc/sshd2_config file, for example, using the key and certificate created above:

    HostKeyFile              testserv-rsa.prv
    HostCertificateFile      testserv-rsa-0.crt
    HostKey.Cert.Required    no

    Setting the sshd2_config option HostKey.Cert.Required to yes defines that the server must authenticate with a certificate. When keys in file are used, a certificate must be defined with the HostCertificateFile option. Setting the option to no (default) means that the server can use either a normal public key or a certificate, depending on which of them is configured. Setting the option to optional means that the server can use both a certificate and the public key found in the certificate.

  3. Restart the server as instructed in Restarting the Server.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more