After upgrade create a new RSA host key hostkey_new in Tectia Server Configuration GUI → Identity → Generate key

Or on command-line:

ssh-keygen-g3 -H -P hostkey_new

Advertise Current and New Host Key During Renewal Period Before Rotation

In Tectia Server Configuration GUI → Identity → Edit hostkey and hostkey_new

Change Advertise to Yes for both current host key and new host key so that they are advertised to secure shell clients and Apply to reload the configuration.

The current host key is used in server authentication and new host key is saved on the client-side for future use by the clients that support this. Note that if current host key has Advertise set to No (default), then clients will remove it prematurely and the next connection will result in save host key prompt.

Or edit ssh-server-config.xml

<hostkey advertise="yes">
   <private file="C:\Program Files (x86)\SSH Communications Security\
                  SSH Tectia\SSH Tectia Server\hostkey" />
   <public file="C:\Program Files (x86)\SSH Communications Security\
                 SSH Tectia\SSH Tectia Server\hostkey.pub" />
</hostkey>               

To reconfigure Tectia Server on command-line:

ssh-server-ctl reload

Monitor Tectia Server Logs

Tectia Server logs Hostkey-advert-accepted informational audit message when a client saves advertised new host key and server has proved ownership. These messages can be used to track the adoption of the new host key in the environment over time.

132 Hostkey_advert_accepted, Username: <authenticated_user>,
Src IP: 127.0.0.1, Src Port: 50737, "xicaz-...-saxux",
"SHA-256: gThQLwq2eiVIRd3T8X4JElNr9SGa7WRcUX93Audbe2I", Session-Id: 147,
Protocol-session-Id: C85232F7554FBB5814ADAAD6D8E0...

Host Key Rotation

When Tectia Server’s old key is removed from configuration and new key taken into active use, any secure shell clients that have not connected during the renewal period or clients that do not support or do not have Host Key Rotation / UpdateHostKeys enabled and have previously connected and saved the old host key to known hosts fail to connect or prompt a host key changed warning.

In Tectia Server Configuration GUI→Identity→Delete “hostkey” to remove the old key from configuration and Apply to reload the configuration so that the hostkey_new becomes the current host key.

Or edit ssh-server-config.xml so that only hostkey_new key pair is specified:

                    <hostkey advertise="yes">
   <private file="C:\Program Files (x86)\SSH Communications Security\
SSH Tectia\SSH Tectia Server\hostkey_new" />
   <public file="C:\Program Files (x86)\SSH Communications Security\
SSH Tectia\SSH Tectia Server\hostkey_new.pub" />
 </hostkey>
                

To reconfigure Tectia Server on command-line:

ssh-server-ctl reload

Rename hostkey to hostkey_removed and hostkey.pub to hostkey_removed.pub in installation directory so that it is not accidentally taken into use if Tectia Server is started without configuration file. Note also that next Tectia Server upgrade will automatically generate a new hostkey if the file with this name does not already exist.

If the current hostkey_new is advertised, then after successful user authentication clients that support and allow this in configuration will automatically remove from known hosts any host keys that are no longer advertised.

Tectia Client 6.4.19 has Host Key Policy Rotation enabled by default when connecting to Tectia servers only and Tectia Client attempts to remove the old keys from all known host key locations. On the client-side the following command can be used to view keys in local host key store(s):

ssh-keygen-g3 -F host_id

where host_id is hostname or address#port