[Contents] [Index]

About This Document >>     Installing SSH Tectia Server for IBM z/OS >>     Getting Started with SSH Tectia Server for IBM z/OS >>     Configuring the Server >>     Authentication >>         Using the z/OS System Authorization Facility         Server Authentication with Public Keys in File >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys in File >>         User Authentication with Certificates >>             Certificates Stored in File             Certificate User Mapping File             Certificates Stored in SAF         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive     System Administration >>     File Transfer Using SFTP >>     Secure File Transfer Using Transparent FTP Security >>     Tunneling >>     Troubleshooting SSH Tectia Server for IBM z/OS >>     Man Pages and Default Configuration Files >>     Log Messages >>

Certificates Stored in File

To configure the server to allow user authentication with certificates, perform the following tasks:

1. Acquire the CA certificate and copy it to the server machine. You can either copy the X.509 certificate(s) as such or you can copy a PKCS #7 package including the CA certificate(s). Certificates can be extracted from a PKCS #7 package by specifying the -7 flag with ssh-keygen-g3.
2. Certificate authentication is a part of the publickey authentication method. Make sure that you have enabled it in the /opt/tectia/etc/sshd2_config file:

   AllowedAuthentications publickey AuthPublicKey.Cert.Required no

   Setting the AuthPublicKey.Cert.Required option to yes defines that the user must authenticate with a certificate or else the authentication will fail.
3. Specify the trusted CA certificate and the mapping file(s) in the ssh_certd_config file:

   Pki <ca-cert-path> MapFile <map-file-path>

   You can define several CA certificates by using several Pki keywords.

   Pki test-ca1.crt MapFile cert-user-mapping1.txt Pki test-ca2.crt MapFile cert-user-mapping2a.txt MapFile cert-user-mapping2b.txt

   Note that multiple MapFile keywords are permitted per Pki keyword. Also, if no mapping file is defined, all connections are denied even if user certificates can be verified using the defined CA certificate. The server will accept only certificates issued by defined CA(s).
4. Also define the LDAP server(s) used for CRL checks in the ssh_certd_config file. If the CA services (OCSP, CRLs) are located behind a firewall, define also the SOCKS server.

   LdapServers ldap://ldap.example.com:389 SocksServer socks://fw.example.com:1080

   Defining the LDAP server is not necessary if the CA certificate contains a CRL Distribution Point or an Authority Info Access extension.
5. Create the certificate user mapping file as described in Section Certificate User Mapping File.
6. Restart ssh-certd as instructed in Section Restarting ssh-certd.

For more information on the configuration file options, see sshd2_config and ssh_certd_config.