Your browser does not allow storing cookies. We recommend enabling them.

SSH

CA Certificates Stored in SAF

To configure the client to trust the server's SAF certificate by using Tectia validation, perform the following tasks. Replace the names and IDs with those appropriate to your system:

  1. Get the CA certificate and store it to a data set, for example 'HOSTCA.CRT'.

  2. To add the CA certificate into SAF, give the following TSO commands:

    RACDCERT CERTAUTH ADD('HOSTCA.CRT') TRUST WITHLABEL('HOSTCA')
    RACDCERT ID(SSHD2) ADDRING(SSH-HOSTCA)
    RACDCERT ID(SSHD2) CONNECT(ID(SSHD2) CERTAUTH LABEL('HOSTCA') 
      RING(SSH-HOSTCA) USAGE(CERTAUTH))
    RACDCERT ID(SSHD2) LISTRING(SSH-HOSTCA)
    
  3. For the settings to take effect, give the following TSO command:

    SETROPTS RACLIST(DIGTCERT) REFRESH
    
  4. Define the z/OS SAF external key provider that contains the CA certificates in the general/cert-validation/key-store element:

    <cert-validation end-point-identity-check="yes" 
                     socks-server-url="socks://fw.example.com:1080">
      <ldap-server address="ldap://ldap.example.com:389" />
      <ocsp-responder url="http://ocsp.example.com:8090" validity-period="0" /> 
      <key-store type="zos-saf"
                 init="KEYS(ID(SSHD2) RING(SSH-HOSTCA)) TRUST-ANCHORS"
                 disable-crls="no"
                 use-expired-crls="0" />
    </cert-validation>         
    

    Define also the LDAP server(s) or OCSP responder(s) used for CRL checks. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server.

    Defining the LDAP server is not necessary if the CA certificate contains a CRL Distribution Point or an Authority Info Access extension.

  5. Setting the certificate authentication method either under default settings (default-settings/server-authentication-methods) or per connection profile (profiles/profile/server-authentication-methods) defines that the server must authenticate with a certificate or else the authentication will fail.

    <server-authentication-methods>
      <auth-server-certificate />
    </server-authentication-methods>
    

For more information on the configuration file options, see ssh-broker-config(5). For information on the format of the external key initialization string, see the section called “Key Store Configuration Examples”.


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now