SSH Tectia Server for IBM z/OS has the following main features and benefits. For a detailed list of new features and enhancements in the latest version, please read the release notes.
- Secure Shell Protocol
- High Performance with SSH G3
- Secure File Transfer
- Authentication
- Mainframe integration
Secure Shell Protocol
| Compliance with the IETF Secure Shell standards | SSH Tectia Server for IBM z/OS implements the Secure Shell (version 2) protocol as defined by the IETF Proposed Standard RFC specifications. SSH Communications Security is the original developer of Secure Shell and has been an active driver of the Secure Shell standardization in the IETF. |
| Comprehensive cryptographic support | SSH Tectia Server for IBM z/OS offers state-of-the-art encryption with broad support for symmetric ciphers including 3DES, AES, Blowfish, SEED, and Twofish. Supported message authentication and public-key algorithms include MD5, SHA-1, Diffie-Hellman, DSA, and RSA. |
| Versatile command line tools | SSH Tectia Server for IBM z/OS includes versatile command line tools that can be used for secure remote login, remote command execution, and file transfer operations. These tools allow easy scripting of automated jobs using JCL batch and USS scripts. |
| Tunneling (port forwarding) | One of the key features of Secure Shell in addition to secure terminal access and secure file transfers is its ability to tunnel TCP-based application connections. SSH Tectia Client and Server allow static application tunneling where application client connections are routed through the local TCP port, and then securely forwarded to a remote Secure Shell server. |
| Transparent TN3270 tunneling | SSH Tectia Client or ConnectSecure together with SSH Tectia Server for IBM z/OS allow transparent encryption of TN3270 application connections between Windows workstations and mainframes. There is no need reconfigure existing terminal emulators. |
| Authentication agent | Authentication agent functionality allows the caching of passphrases (used for encrypting the private key) eliminating the need to retype the passphrase each time when a connection is made. In addition, authentication can be “forwarded”, allowing administrators to “hop” from one server to another without the need to store private keys on multiple servers. |
| Host-Based Authentication | Host-based authentication mimics the legacy rhosts authentication that was used with Unix tools such as rsh and rcp to control access to systems based on the address of the remote host. The Secure Shell host-based authentication utilizes strong cryptography for host identity verification. |
| Firewall traversal | SSH Tectia Server for IBM z/OS supports SOCKS (4 and 5) and HTTP proxy for accessing Secure Shell servers located behind firewalls. |
| Multi-channel support | Multi-channel support allows users to have multiple terminal sessions, file transfers, and application tunnels that are multiplexed to a single Secure Shell connection without the need to authenticate every session separately. |
| Configurable re-keying policies | Administrators can configure the renewal period for session encryption keys according to the security requirements. |
High Performance with SSH G3
SSH G3 architecture | SSH G3 is a third-generation Secure Shell protocol implementation, which has been optimized for higher performance in demanding file transfer and application tunneling environments. The SSH G3 architecture provides unparalleled Secure Shell encryption throughput and scalability for large organizations. |
| Higher throughput | The SSH G3 architecture has been designed to minimize internal data handling such as data copy operations to minimize the throughput time in large file transfers. |
| Multi-threading | SSH G3 utilizes multi-threaded programming to fully leverage multi-processor servers for improved performance. |
| Client-side Connection Broker | The Connection Broker is a key component in the SSH G3 architecture, handling all protocol and cryptographic operations. Client-side memory consumption is reduced since there needs to be only a single Connection Broker instance running per user. Security is also further improved by isolating all security-critical operations, including authentication data handling, in a single component. |
Secure File Transfer
| Secure copying, moving, editing and removing of files with SFTP | The SFTP (Secure File Transfer Protocol) functionality provides a secure, drop-in replacement for FTP, allowing secure copying, moving, editing, and removing of files in TCP/IP networks. |
| Scripted file transfers | SSH Tectia Server for IBM z/OS includes versatile command line SFTP and SCP (Secure Copy) tools for easy scripting of automated and ad-hoc file transfers using JCL batch jobs and USS scripts. |
| File transfer profiles | File transfer profiles improve usability of file transfers that involve automatic code set translation. File transfer profiles allow users to specify file transfer parameters (e.g. ASCII/EBCDIC translation and data set allocation parameters) that are used for specific file transfers. Both global and user-specific file transfer profiles are supported. |
| Direct MVS dataset access | SSH Tectia Server for IBM z/OS incorporates direct access for all MVS file system operations, which improves file transfer performance by eliminating any additional memory and disk staging operations required previously for transferring files in MVS. Direct access of MVS datasets is supported on both the client and server modules of SSH Tectia Server for IBM z/OS. |
| MVS dataset listing | Users of SSH Tectia Client can list MVS datasets as files and folders, facilitating easy cross-platform file transfer between mainframe and non-mainframe systems. Windows users can drag-and-drop files with IBM z/OS by using SFTP GUI of SSH Tectia Client. |
| Transparent FTP Tunneling | The client component of SSH Tectia Server for IBM z/OS supports transparent FTP Tunneling, providing a quick and easy way to secure FTP file transfers without the need to change existing FTP jobs. Transparent FTP Tunneling can be used to secure both interactive and unattended FTP sessions. On the server side, any server running Secure Shell and FTP is supported. |
| Transparent FTP-SFTP Conversion | The FTP-SFTP Conversion module allows easy and cost-effective replacement of plaintext file transfers in large enterprise environments. Existing FTP connections, including automated file transfers, are transparently converted to SFTP without the need to modify existing scripts and applications. |
| Checkpoint/restart mechanism | The checkpoint/restart mechanism provides fault tolerance for large file transfers without performance penalties for increased user productivity, improved transfer reliability, and easier file transfer management. |
| Mainframe specific file transfer commands | The SFTP implementation in the SSH Tectia products features single put (sput) and single get (sget) commands that allow explicit source_file destination_file syntax for easier transfer of files to and from mainframe datasets.Support for the site command allows defining client- and server- specific file transfer settings, including mainframe dataset parameters. |
| MVS file transfer access controls | SSH Tectia Server for IBM z/OS can be configured to limit users’ file and dataset access to their own MVS prefix, MVS File system or HFS. |
Authentication
| OpenSSH and IBM Ported Tools key support | SSH Tectia Server for IBM z/OS supports the legacy OpenSSH public-key format used by IBM Ported Tools, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. The key-compatibility feature also allows easy migration of OpenSSH and IBM Ported Tools environments to SSH Tectia. |
| Integrated mainframe authentication | SSH Tectia Server for IBM z/OS supports RACF, ACF2, and TSS through standard SAF for seamless integration with the IBM mainframe authentication methods. Existing authentication and access control management tools can be used, and there is no need to create new profiles or passwords. Public-key authentication is also supported for both interactive and unattended connections. |
| X.509v3 certificates | SSH Tectia Server for IBM z/OS supports X.509v3 certificates for further security and scalability in large and dynamic network environments. The advanced certificate validation capabilities of SSH Tectia including support for multi-level certificate chains and multiple revocation methods ensure seamless interoperability with any X.509v3 standards-compliant PKI environment. |
| Flexible certificate revocation | Both CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) are supported for centralized revocation of user credentials. CRLs are automatically fetched using HTTP or LDAP depending on the local settings and the CRL Distribution Point extension in the certificate. CRLs can also be imported offline in legacy environments. |
| Certificate lifecycle management | IETF PKIX standards (CMPv2) and Cisco Systems' Simple Certificate Enrollment Protocol (SCEP) are supported for online certificate enrollment. Certificates can also be imported by using the PKCS#12 envelope format supported by most CAs (Certification Authorities). |
| Hardware-based key generation and storage | Both client and server-side private keys can be generated and stored on hardware by using ICSF (Integrated Cryptographic Service Facility) for maximum security. |
| SAF keyring support for certificate storage | SSH Tectia Server for IBM z/OS supports storing client, server, and CA (Certification Authority) certificates on SAF (System Authorization Facility) keyrings. Optionally, the SSH Tectia certificate validation can be omitted so that only the checks done by SAF will be used. |
