Select a client-side user whose $HOME/.ssh2/hostkeys will be the basis for the system-wide /opt/tectia/etc/hostkeys. The user should have administrative privileges, as placing the keys to the system-wide location requires them.

This user must also be used to maintain the system-wide /opt/tectia/etc/hostkeys later on if the host key on some server changes. The process is to maintain the user's host keys in the $HOME/.ssh2/hostkeys directory and then replicate the changes to the system-wide /opt/tectia/etc/hostkeys directory.

Make sure that the $HOME/.ssh2/hostkeys directory is empty when obtaining the keys for the first time, or that the saved host keys are intentional.

If you need to obtain new keys later, the same $HOME/.ssh2/hostkeys/salt file has to be used.

Connect with SSH Tectia client tools for z/OS to the remote server, verify the fingerprint, and save the key.

Repeat this step as many times as there are remote servers. Note that you do not have to complete the user authentication, only key exchange part of the Secure Shell connection.

Once all host keys you wish to maintain in the system-wide location have been obtained, place the keys to the system-wide location, for example by running the following commands:

# mkdir /opt/tectia/etc/hostkeys
# cp -p $HOME/.ssh2/hostkeys/* /opt/tectia/etc/hostkeys

Note that also the salt file ($HOME/.ssh2/hostkeys/salt) has to be copied so that SSH Tectia client tools for z/OS is able to identify the hashed host keys. Also if multiple users contribute to the system-wide /opt/tectia/etc/hostkeys directory, they have to share the same salt file.

Run ssh-keydist-g3 with the -g option as a privileged user on the client, for example:

# ssh-keydist-g3 -N -i -g -A /tmp/newkeys.log host1 host2 host3#222

Substitute the appropriate list of host names as the command arguments.

The -i option specifies that the host keys are also stored using the IP addresses of the hosts. Transparent FTP tunneling and FTP-SFTP conversion require that the keys are stored using the IP address. However, the host keys are not automatically stored using the long hostname. If you want to do also that, specify the long hostname in addition to the short hostname as an argument for ssh-keydist- g3.

After the transfer, verify the fingerprints of the keys from the log file /tmp/newkeys.log.

As a server-side user, copy the /opt/tectia/etc/hostkey.pub file from the server as key_<port>_<hostname>.pub to the /opt/tectia/etc/hostkeys/ directory on the client.

You can do this as a non-privileged user on the server but you must be privileged user, for example root, on the client.

Use secure means to transfer the file or verify the fingerprint matches after the transfer with the ssh-keygen-g3 option -F, for example on SSH Tectia Server on Unix:

$ ssh-keygen-g3 -F /etc/ssh2/hostkey.pub

On the client:

# ssh-keygen-g3 -F /opt/tectia/etc/hostkeys/key_<port>_<hostname>.pub

Note that the identification is different based on the host and port the client is connecting to. Also connection with IP is considered a different host as well as connection to same host but different port. You can copy the same traditional key_<port>_<hostname>.pub to all these different names.

Run ssh-keydist-g3 with the -F plain and -g options as a privileged user on the client, for example:

# ssh-keydist-g3 -N -F plain -g -A /tmp/newkeys.log host1 host2 host3#222

Substitute the appropriate list of host names as the command arguments. In the example above, the following host keys are fetched:

key_22_host1.pub
key_22_host2.pub
key_222_host3.pub

After the transfer, verify the fingerprints of the keys from the log file /tmp/newkeys.log.