Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia

Certificate Authentication on IBM z/OS

SSH Tectia Server for IBM z/OS includes two implementations of certificate authentication. One is based on keys and X.509 certificates in files and software cryptography. This is the same implementation that is available in SSH Tectia 4.x products on other platforms. The other is based on keys and certificates managed by the z/OS System Authorization Facility (SAF) and cryptographic operations handled by the z/OS Integrated Cryptographic Service Facility (ICSF).

The two implementations may be combined. SAF validation may be complemented with the SSH Tectia 4.x certificate validator and the SSH Tectia 4.x implementation may use trusted keys stored in SAF.

The interface to SAF in SSH Tectia Server for IBM z/OS is implemented with an SSH Tectia External Key Provider. The External Key Providers are configured with specification strings in a configuration file or on a command line.

If only SAF validation is used, certificate validity period and revocation status are not checked. Securitywise, this equals normal public-key authentication, with keys stored securely in SAF. Note also that if SAF is used purely as a key store, the certificates have to be distributed to each host separately and the scalability advantage of PKI is lost.




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now