Your browser does not allow storing cookies. We recommend enabling them.



ssh-externalkeys — Using external keys with Tectia Server for IBM z/OS


This document contains general information about using external keys with Tectia Server for IBM z/OS.

Using External Keys

For applications capable of using external keys, two strings need to be specified: the provider name and the initialization string for the provider. These strings can be given on the command line or in a configuration file, depending on the application. The following section describes the different providers available in more detail.

The provider name and/or the initialization string may be defined in the following configuration attributes and keywords:

In ssh-broker-config.xml:




In sshd2_config:





In ssh_certd_config:




External Key Providers


The zos-saf provider is used for accessing keys stored in the IBM z/OS System Authorization Facility (SAF).

The initialization string for the zos-saf provider specifies the key(s) to be used and it has the following components:

{KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}...

KEYS(..) may repeat. The sub-attributes are:

  • ID - A SAF user ID signifying the owner of the key ring. If missing, the current user's ID is used.

  • RING - Key ring name. Mandatory.

  • LABEL - The SAF key label. If missing, and DEFAULT is missing, use all the keys in the key ring.

  • DEFAULT - Use the key that is marked as the default key on the key ring. Do not specify together with LABEL.

Values must be written in single quotation marks if they contain single quotation marks or parenthesis.

The initialization string specified with the HostKeyEkInitString keyword of sshd2_config must point to a single private key. If the key ring contains several keys, LABEL must be used to distinguish between the keys.

When using a trusted key provider and the Tectia Certificate Validator, specify KEYS variables that include all the CA certificates needed, for example:

PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))

The key-store[@init] attribute of ssh-broker-config.xml and the AuthorizationEkProvider keyword of sshd2_config can contain special strings in the key specification that are mapped according the following list:

  • %U = user name

  • %IU = user ID

  • %IG = user group ID

  • %UU = user name in upper case (AuthorizationEkProvider only)

  • %UL = user name in lower case (AuthorizationEkProvider only)


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more