The remote Secure Shell servers generate public-key pairs for themselves when the software is installed.
The SSH Tectia clients on the mainframe must have the remote server public keys available in order to authenticate the remote server they are connecting to. The keys can be stored in the mainframe user's $HOME/.ssh2/hostkeys directory or in the /etc/ssh2/hostkeys directory which is common for all the users. Here it is assumed that the common directory will be used. The directory will be copied to all the mainframe systems that need the keys.
A remote server public key can be downloaded manually with an initial interactive connection with Secure Shell. The SSH Tectia client programs on mainframe do not allow entering remote passwords in the OMVS shell, so this connection in most easily done from a Telnet or a Secure Shell session. The SSH Tectia client program stores the key in the user's .ssh2 directory. It can be copied from there to /etc/ssh2/hostkeys.
An automated method is available to download the server keys of a large number of remote servers. The ssh-hostkey-probe program will access the remote machines (the Secure Shell servers must be running) and download the keys. The program reads a file containing the hostnames of the remote machines. Note that if a server will be accessed with different names, for example sometimes with the DNS hostname and sometimes with the IP address, all the names must be entered in the file on separate lines.
The downloaded remote server public keys should be checked. Their fingerprints should be printed with ssh-keygen2 and compared to the fingerprints printed at the remote sites. For more information, see Client Configuration.