SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
    Authentication >>
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
        ssh-certd
        ssh_certd_config
        ssh-dummy-shell
        ssh-externalkeys
        sshd-check-conf
        sshd2
        sshd2_config
        sshd2_subconfig
        sshregex
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Log Messages >>

ssh-externalkeys

SSH-EXTERNALKEYS(5)            SSH2           SSH-EXTERNALKEYS(5)


DESCRIPTION
       This  document  contains  general  information about using
       external keys with SSH Tectia Server for IBM z/OS.


USING EXTERNAL KEYS
       For applications  capable  of  using  external  keys,  two
       strings  need  to  be specified: the provider name and the
       initialization string for the provider. These strings  can
       be  given  on the command line or in a configuration file,
       depending  on  the  application.  The  following   section
       describes   the  different  providers  available  in  more
       detail.

       The provider name and/or the initialization string may  be
       defined in the following configuration attributes and 
       keywords:

       In ssh-broker-config.xml:

           cert-validation/key-store[@type="provider",init="initstring"]
           known-hosts/key-store[@type="provider",init="initstring"]
           key-stores/key-store[@type="provider",init="initstring"]


       In sshd2_config:

           AuthorizationEkProvider="provider:initstring"
           HostKeyEkInitString="initstring"
           HostKeyEkProvider="provider"
           KnownHostsEkProvider="provider:initstring"


       In ssh_certd_config:

           HostCAEkProvider="provider:initstring"
           HostCAEkProviderNoCRLs="provider:initstring"
           PkiEkProvider="provider:initstring"


EXTERNAL KEY PROVIDERS
       zos-saf

              The  zos-saf  provider  is  used for accessing keys
              stored in the IBM z/OS System Authorization  Facil-
              ity (SAF).

              The  initialization string for the zos-saf provider
              specifies the key(s) to be used and it has the fol-
              lowing components:

              {KEYS([ID(xxx)]RING(xxx) [LABEL(xxx)|DEFAULT])}...

              KEYS(..) may repeat. The subattributes are:

              ID - A SAF user id signifying the owner of the  key
              ring. If missing, the current user's id is used.

              RING - Key ring name. Mandatory.

              LABEL  - The SAF key label. If missing, and DEFAULT
              is missing, use all the keys in the key ring.

              DEFAULT  - Use  the  key  that  is  marked  as  the
              default  key  on  the  key  ring.  Do  not  specify
              together with LABEL.

              Values must be written in single quotation marks if 
              they contain single quotation marks or parenthesis.

              The   initialization   string  specified  with  the
              HostKeyEkInitString keyword  of  sshd2_config  must
              point to a single private key. If the key ring con-
              tains several keys, LABEL must be used  to  distin-
              guish between the keys.

              When using a trusted key provider and the SSH  Tec-
              tia  Certificate  Validator, specify KEYS variables
              that include all the CA  certificates  needed,  for
              example:

              PkiEkProvider="zos-saf"
              PkiEkInitString="KEYS(RING(Trusted.CAs) LABEL('Primary CA'))
                               KEYS(ID(SSHTEST) RING(Internal.CAs))"

              The key-store[@init] attribute of ssh-broker-config.xml 
              and the AuthorizationEkProvider keyword of sshd2_config 
              can contain  special  strings  in the key specification
              that are mapped according the following list:

              %U = user name

              %IU = user ID

              %IG = user group ID


AUTHORS
       SSH Communications Security Corp.

       For more information, see http://www.ssh.com.


SEE ALSO
       ssh-certd(8),  ssh-broker-config(5),  ssh_certd_config(5),
       sshd2_config(5).

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice