User Authentication with Certificates
SSH Tectia Server for IBM z/OS includes two implementations of certificate authentication.
One is based on keys and X.509 certificates in files and software
cryptography. This is the same implementation that is available in
SSH Tectia products on other platforms. The other is based on keys and
certificates managed by the z/OS System Authorization Facility (SAF) and
cryptographic operations handled by the z/OS Integrated Cryptographic
Service Facility (ICSF).
For more information, see Server Authentication with Certificates.
The server can be configured to allow or require certificate-based user
authentication. To use SAF certificates, a trusted key provider must be
configured. The users must be set up with digital certificates.
When using a certificate, the client can start authentication without
presenting a username. If the username given by the user matches the
value of the IdentityDispatchUsers option in the server
configuration, the name retrieved from SAF will be used. However, it is
not allowed to change the user ID during the authentication process. For
example, if the server requires first certificate authentication and
then password authentication, the user must give the password for the
user that SAF determines from the certificate.
SAF determines the z/OS username using one-to-one certificate to user
ID association, certificate name filtering, or the
HostIdMappings certificate extension. SSH Tectia Server for IBM z/OS does not
participate in this processing.
The server checks the user certificate using SAF and can be configured
to do a full PKI validation using the SSH Tectia Certificate Validator.
