SSH Tectia Server for IBM z/OS includes two implementations of certificate authentication. One is based on keys and X.509 certificates in files and software cryptography. This is the same implementation that is available in SSH Tectia 4.x products on other platforms. The other is based on keys and certificates managed by the z/OS System Authorization Facility (SAF) and cryptographic operations handled by the z/OS Integrated Cryptographic Service Facility (ICSF).

The two implementations may be combined. SAF validation may be complemented with the SSH Tectia 4.x certificate validator and the SSH Tectia 4.x implementation may use trusted keys stored in SAF.

The interface to SAF in SSH Tectia Server for IBM z/OS is implemented with an SSH Tectia External Key Provider. The External Key Providers are configured with specification strings in a configuration file or on a command line.

If only SAF validation is used, certificate validity period and revocation status are not checked. Securitywise, this equals normal public-key authentication, with keys stored securely in SAF. Note also that if SAF is used purely as a key store, the certificates have to be distributed to each host separately and the scalability advantage of PKI is lost.