The User can add up to three keys and pick any of these keys, then click "Get Open SSH key" and put this on to the managed target for authentication purposes.
When TPAM authenticates to the managed system, it doesn’t necessarily use the key you selected in the step above. It tries any of the three keys until one works. The one which worked is not recorded. TPAM does not track which of the 3 keys is associated to the Managed System.
As with any DSS key that is not rotated programmatically, there is overhead to renew the DSS key once it expires. Most system wide DSS keys are set to expire in many years’ time but is of course customer configurable.
Because of the current design, it is not currently possible to track which keys are used for which system into a report.