 |
|
Certificates Stored in File
To configure SSH Tectia Server for IBM z/OS to authenticate itself using X.509 certificates from
file, perform the following tasks:
- Enroll a certificate for the server. This can be done, for
example, with the
ssh-cmpclient-g3 or ssh-scepclient-g3
command-line tools.
Note that the DNS address extension (dns) in the certificate
needs to correspond to the fully qualified domain name of the server.
Example: Key generation and enrollment using ssh-cmpclient-g3:
# ssh-cmpclient-g3 INITIALIZE \
-p 62154:secret \
-P generate://ssh2@rsa:1536/testserv-rsa \
-s "C=FI,O=SSH,CN=testserv;dns=testserv.ssh.com" \
-o /opt/tectia/etc/testserv-rsa \
-S http://fw.example.com:1080 \
http://pki.example.com:8080/pkix/ \
'C=FI, O=SSH, CN=Test CA 1'
For more information on the ssh-cmpclient-g3 and
ssh-scepclient-g3, see the man pages.
- Define the private key and the server certificate in the
/opt/tectia/etc/sshd2_config file, for example, using the key and certificate
created above:
HostKeyFile testserv-rsa.prv
HostCertificateFile testserv-rsa-0.crt
HostKey.Cert.Required no
|
Setting the HostKey.Cert.Required option to yes
defines that the server must authenticate with a certificate. When keys
in file are used, a certificate must be defined with the
HostCertificateFile option. Setting the option to no
(default) means that the server can use either a normal public key or a
certificate, depending on which of them is configured. Setting the
option to optional means that the server can use both a
certificate and the public key found in the certificate.
- Restart the server as instructed in Section
Restarting sshd2.
For more information on the configuration file options, see
sshd2_config.
[Contents]
[Index]
[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice
|
|
|
