Your browser does not allow storing cookies. We recommend enabling them.

Tectia

CA Certificates Stored in SAF

To configure the client to trust the server's SAF certificate by using Tectia validation, perform the following tasks. Replace the names and IDs with those appropriate to your system:

  1. Get the CA certificate and store it to a dataset, for example 'HOSTCA.CRT'.

  2. To add the CA certificate into SAF, give the following TSO commands:

    RACDCERT CERTAUTH ADD('HOSTCA.CRT') TRUST WITHLABEL('HOSTCA')
    RACDCERT ID(SSHD2) ADDRING(SSH-HOSTCA)
    RACDCERT ID(SSHD2) CONNECT(ID(SSHD2) CERTAUTH LABEL('HOSTCA') 
      RING(SSH-HOSTCA) USAGE(CERTAUTH))
    RACDCERT ID(SSHD2) LISTRING(SSH-HOSTCA)
    
  3. For the settings to take effect, give the following TSO command:

    SETROPTS RACLIST(DIGTCERT) REFRESH
    
  4. Define the z/OS SAF external key provider that contains the CA certificates in the general/cert-validation/key-store element:

    <cert-validation end-point-identity-check="yes" 
                     socks-server-url="socks://fw.example.com:1080">
      <ldap-server address="ldap://ldap.example.com:389" />
      <ocsp-responder url="http://ocsp.example.com:8090" validity-period="0" /> 
      <key-store type="zos-saf"
                 init="KEYS(ID(SSHD2) RING(SSH-HOSTCA)) TRUST-ANCHORS"
                 disable-crls="no"
                 use-expired-crls="0" />
    </cert-validation>         
    

    Define also the LDAP server(s) or OCSP responder(s) used for CRL checks. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server.

    Defining the LDAP server is not necessary if the CA certificate contains a CRL Distribution Point or an Authority Info Access extension.

  5. Setting the certificate authentication method either under default settings (default-settings/server-authentication-methods) or per connection profile (profiles/profile/server-authentication-methods) defines that the server must authenticate with a certificate or else the authentication will fail.

    <server-authentication-methods>
      <authentication-method name="certificate" />
    </server-authentication-methods>
    

For more information on the configuration file options, see ssh-broker-config(5). For information on the format of the external key initialization string, see the section called “Key Store Configuration Examples”.


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more