Your browser does not allow storing cookies. We recommend enabling them.

SSH

Generating the Server Host Key Pair

The host public-key pair (2048-bit RSA) is generated during the installation of Tectia Server for IBM z/OS by running job KEYGH generated by Tectia SSH Assistant installation step 1.15 KEYGEN. You only need to regenerate the host key pair if you want to change it.

KEYGH invokes a tool called ssh-keygen-g3 (located in /opt/tectia/bin) that generates the host key pair:

 //KEYGH   EXEC SSZPBPX,BPX=BPXBATCH      
 //STDPARM  DD  *                         
 SH /opt/tectia/bin/ssh-keygen-g3 -H 1 -P 2 -t rsa 3                    
    -c "Tectia Server key for $(hostname) generated at $(date)" 4  
    -b 2048 5
 //STDENV   DD  *  
1

The key pair will be stored in the default host key directory (/opt/tectia/etc).

2

The key will be saved without a passphrase.

3

The type of the key will be RSA.

4

This line generates the key comment.

5

The length of the key will be 2048 bits.

Because the key pair is generated in such a way that the private key has no passphrase (option -P), the server will start up without any operator interaction to enter a passphrase. Protect the key with file system access rules. The private key (/opt/tectia/etc/hostkey) must be accessible only by the SSHD2 user.

For more information on the key generation options, see the Tectia Server for IBM z/OS User Manual or the ssh-keygen-g3 man page.

To (re)generate the host key in UNIX, perform the following tasks:

  1. Use su to switch to a UID 0 user (if you are not already logged in as one).

  2. Run ssh-keygen-g3 to generate the host key, for example:

    # /opt/tectia/bin/ssh-keygen-g3 -t ecdsa -b 256 -P /opt/tectia/etc/hostkey

    This will generate a 256-bit ECDSA key pair without a passphrase and store it under /opt/tectia/etc.

  3. Restart the server.