Tectia Server 6.2 for IBM z/OS

Administrator Manual

Tectia Corporation

Copyright © 2007–2012 Tectia Corporation

This software is protected by international copyright laws. All rights reserved. Tectia® and ssh® are registered trademarks of Tectia Corporation in the United States and in certain other jurisdictions. The Tectia and SSH logos are trademarks of Tectia Corporation and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of Tectia Corporation.

THERE IS NO WARRANTY OF ANY KIND FOR THE ACCURACY OR USEFULNESS OF THIS INFORMATION EXCEPT AS REQUIRED BY APPLICABLE LAW OR EXPRESSLY AGREED IN WRITING.

For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the Administration Manual.

20 April 2012

Table of Contents

1. About This Document

Introduction to Tectia Server for IBM z/OS

System Authorization Facility

Sample Files

Documentation Conventions

Operating System Names

Customer Support

Component Terminology

2. Installing Tectia Server for IBM z/OS

Preparing for Installation

System Requirements
Permission Requirements
System Limit Requirements
Directories and Datasets

Upgrading Previously Installed Secure Shell Software

From OpenSSH
From Tectia Server for IBM z/OS Version 5.x
From Tectia Server for IBM z/OS Version 6.x
From Tectia Server for IBM z/OS when Two Versions Exist

Installing the Tectia Server for IBM z/OS Software

Unpacking the Installation Package
Creating the SAMPLIB and PARMLIB Datasets
Preparing the System
Creating the SSHD2 User
Creating the /opt/tectia Directory
Running the Setup Script
Installing Licenses
Enabling Manual Pages

Removing the Tectia Server for IBM z/OS Software

3. Getting Started with Tectia Server for IBM z/OS

Running the Server

Starting sshd2 Manually under USS
Running sshd2 as a Started Task
Restarting and Stopping sshd2
Starting ssh-certd Manually under USS
Running ssh-certd as a Started Task
Restarting and Stopping ssh-certd

Environment Variables for Server and Client Applications

Setting Up a Shell User

Authenticating Remote Server Hosts
Using Password Authentication
Using Public-Key Authentication

4. Configuring the Server

Server Configuration Files

Editing Configuration Files
Command-Line Options
Running Tectia and OpenSSH on the Same Host

Defining Subconfigurations

Host-Specific Subconfiguration
User-Specific Subconfiguration

Configuring Cryptographic Algorithms

Configuring Ciphers
Configuring MACs
Configuring KEXs
Configuring Host Key Signature Algorithms
Configuring Public Key Signature Algorithms
Crypto Hardware Support

Configuring Root Logins

Restricting User Logins

Configuring Code Pages

Defining Subsystems

Configuring Logging in sshd2
Logging SFTP Transactions
SMF Auditing

Securing the Server

Restrictions to System Administration
Restrictions to File Transfer
Restrictions to Tunneling

5. Authentication

Supported User Authentication Methods

Using the z/OS System Authorization Facility

Server Authentication with Public Keys in File

Defining Server Host Key
Generating the Server Host Key Pair
Using an OpenSSH Server Host Key
Notifying the Users of the Host Key Change

Server Authentication with Certificates

Certificates Stored in File
Certificates Stored in SAF

User Authentication with Passwords

User Authentication with Public Keys in File

Enabling Public-Key Authentication
Using the Authorization File
Using Keys Generated with OpenSSH

User Authentication with Certificates

Certificates Stored in File
Certificate User Mapping File
Certificates Stored in SAF

Host-Based User Authentication

Client Configuration
Server Configuration
Optional Configuration Settings

User Authentication with Keyboard-Interactive

6. System Administration

Shell Access and Remote Commands

Supporting the chcp Command
Configuring Terminal Data Conversion

7. File Transfer Using SFTP

Creating a User for Batch File Transfers

Controlling File Transfer

Handling Prematurely Ending File Transfers
Controlling Staging during File Transfers
Restoring Archived Datasets

8. Secure File Transfer Using Transparent FTP Security

Introduction to Transparent FTP Security

Transparent FTP Tunneling
FTP-SFTP Conversion
Summary of Configuration Steps

Configuring SOCKS Proxy

ssh-socks-proxy-config.xml
Storing Remote Server Host Keys

Creating the SSHSP User

Running SOCKS Proxy

Starting ssh-socks-proxy Manually under USS
Running ssh-socks-proxy as a Started Task
Stopping ssh-socks-proxy
Reconfiguring ssh-socks-proxy

Configuring FTP

Editing the FTP Client Configuration
Creating the SOCKS Configuration

Examples of Transparent FTP Security

System-Wide Transparent FTP Tunneling or FTP-SFTP Conversion with Fallback
JCL-Specific Transparent FTP Tunneling or FTP-SFTP Conversion

9. Tunneling

Local Tunnels

Tunneling TN3270

Remote Tunnels

Agent Forwarding

10. Troubleshooting Tectia Server for IBM z/OS

Debugging Tectia Server for IBM z/OS

Debugging Using USS shell
Debugging using a Started Task
Debugging File Transfer

Solving Problem Situations

Using the OMVS Shell
Common MVS Error Messages
Common Tectia Server for IBM z/OS Error Messages
Exceeding Maximum CPU Time
Auxiliary Storage Shortage
SSHD2 Cannot Be Started as a Started Task
File Transfer Server Log Messages with Wrong Timestamps

A. Man Pages and Default Configuration Files

ssh-certd
ssh_certd_config
ssh-dummy-shell
ssh-externalkeys
sshd-check-conf
sshd2
sshd2_config
sshd2_subconfig
sshregex
Default sshd2_config Configuration File
Default ssh_certd_config Configuration File

B. Log Messages

User Authentication - Common
User Authentication - Host-Based
User Authentication - Keyboard-Interactive Password
User Authentication - Keyboard-Interactive
User Authentication - Password
User Authentication - Public Key
Certificate-Specific Code
Agent Forwarding
Session Channels
SSH1 Agent Forwarding
Port Forwarding
Common Code
Host Key I/O
General Server Log Messages
SFTP

C. Open Source Software License Acknowledgements