Unable to load host key “/nsconfig/ssh/ssh_host_dsa_key”: invalid format

Regenerate a new ssh dsa key


Delete/Backup existing corrupted dsa private and pub key locate in /nsconfig/ssh/

> rm /nsoconfig/ssh/ssh_host_dsa_key

> rm /nsoconfig/ssh/ssh_host_dsa_key.pub

Generate a new dsa private and pub key.

> ssh-keygen -t dsa

Give same location and name as previous key :: /nsconfig/ssh/ssh_host_dsa_key

> reboot or reload config file with command: /usr/sbin/sshd -f /etc/sshd_config

Another solution is disable dsa ssh key as is not really required since rsa key is present.


Edit file /etc/sshd_config and comment out [#] dsa key line

root@adc# cat /etc/sshd_config

Port 22


#ListenAddress :: Protocol 2

HostKey /nsconfig/ssh/ssh_host_rsa_key

#HostKey /nsconfig/ssh/ssh_host_dsa_key Safe file

Copy sshd_config to /nsconfig/

> cp /etc/sshd_config /nsconfig/

Reload sshd with command:

> /usr/sbin/sshd -f /nsconfig/sshd_config


  • No Related Posts

SEMS Fileshare 3.4.2. Questions

I need a solution

Hello all,

We have the below questions about SEMS Fileshare:

  1. In case we have 1000 users/agents, what are the suggested Server requirements Specs (cpu, ram, disk)?
  2.  What is the logs retention period? Is there any way to change the predefined period?
  3.  If I have 2 completely different SEMS infrastructures (PGP Encryption Command line and File Share Encryption) in the same domain network, may a conflict occur?
  4.  What will happen to users, keys, etc. if SEMS (in Server Key Mode) get down?
  5. SEMS Fileshare has an embedded database?
  6. After the initial installation, is it possible to change the configured IP and hostname?





  • No Related Posts

Can ProxySG Generate TLS Key Log File

I need a solution

When collecting packet capture files from the ProxySG, is there a way to decrypt them to be able to view the content?  With the use of Forward Secrecy, having the private key for the certificate installed on the Proxy is no longer good enough to be able to decrypt the packet capture using Wireshark, since they use ephemeral keys which are temporary.

A key log file can be created on the client machine, but for the case where there are many client machines, it is better to be able to do this at the central point, which is the ProxySG.

Any suggestions, other than only allowing the proxy to negotiate only with ciphers that do not use ephemeral keys?

Thank you,




  • No Related Posts

Considerations for Upgrading from 12.0 to 12.1

1) Removal of Weak Ciphers from DEFAULT_BACKEND cipher Group

This should not cause any issues for customers with backend applications that use modern Ciphers and TLS.

However legacy applications may face connectivity issues if specific Cipher Groups, with these older Ciphers enabled, are not configured.

Make sure to check if any backend Web Server/Resource/Application requires the above Ciphers before upgrade.

If they do, configure a Cipher Group with the required Ciphers and bind this to the Service or Service Group and unbind the DEFAULT_BACKEND Cipher Group.

2) Change in Password Encryption for Private Keys/Certificate-Key Pairs

Support for KEK encryption in private key

The password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.

For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.

Important: Certificate keys are lost if you downgrade to a build earlier than release 12.1 build 50.x.

[From Build 50.31]

[# NSHELP-14911]


Customers should not see any issues with this change during the upgrade.

However if they do need to downgrade back for any reason, all their encrypted Private keys will not be added during the downgrade.

To get around this, you can either do 1 of 2 things:

1: (Recommended) Take a backup of the configuration while on 12.0, so if a downgrade is needed, a restore can be performed after the downgrade


2: Do not save the configuration after the upgrade to 12.1 until it has been confirmed that everything is working and there is no need to downgrade.


  • No Related Posts

Trail version usage

I do not need a solution (just sharing information)


I downloaded the PGP command line TW from symantec site and when I try to generate the public key it is asking for valid key no.

I need to check the compatibility of PGP command line before I purchase the license. I need to know how it works.

Please do the needful ASAP



  • No Related Posts

PGP encrypt: 3064:key invalid

I need a solution

After importing the partner’s PGP key and signing the key (https://www.symantec.com/connect/forums/pgp-encrypt-invalid-key) with our own passphrase, tried to encrypt the file..

Successfully, could see a .pgp file was created in the output folder, but in the server logs, we are getting the below:


PGP ERROR – xxxxxxx :encrypt (3064:key invalid)

Could someone help me out here how to avoid this PGP error ?



  • No Related Posts

PGP Drive encryption information

I need a solution

need info about Symantec PGP drive encryption.Please let me know the key points like which mechanism it is using for drive encryption like symmetric or asymmetric key cryptography.

And what is keymanagement server and can we use single PGP drive encryption management server for Drive encryption,email encryption,key management server