Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia

Certificate Authentication on IBM z/OS

SSH Tectia Server for IBM z/OS includes two implementations of certificate authentication. One is based on keys and X.509 certificates in files and software cryptography. This is the same implementation that is available in SSH Tectia 4.x products on other platforms. The other is based on keys and certificates managed by the z/OS System Authorization Facility (SAF) and cryptographic operations handled by the z/OS Integrated Cryptographic Service Facility (ICSF).

The two implementations may be combined. SAF validation may be complemented with the SSH Tectia 4.x certificate validator and the SSH Tectia 4.x implementation may use trusted keys stored in SAF.

The interface to SAF in SSH Tectia Server for IBM z/OS is implemented with an SSH Tectia External Key Provider. The External Key Providers are configured with specification strings in a configuration file or on a command line.

If only SAF validation is used, certificate validity period and revocation status are not checked. Securitywise, this equals normal public-key authentication, with keys stored securely in SAF. Note also that if SAF is used purely as a key store, the certificates have to be distributed to each host separately and the scalability advantage of PKI is lost.