3.1.6 SSH connection setting method for Windows (when the PFM - RM host is running Windows and the monitored host is running UNIX)
This subsection explains how to set up the SSH connection settings necessary for collecting performance data from a monitored host running UNIX. For SSH authentication, you use the public key authentication method.
To connect SSH, settings for the following are required:
-
Enabling public key authentication for the SSH server
Specify this on the monitored host.
-
Creating a key
Specify this on the PFM - RM host.
-
Placing the private key on the PFM - RM host
Specify this on the PFM - RM host.
-
Placing the public key on the monitored host
Specify this on the monitored host.
The following figure provides an overview of public key authentication.
|
|
![[Figure]](GRAPHICS/ZU020130.GIF)
For public key authentication in a cluster system, you can either use a common key on both the active server node and the standby server node, or use different keys on these nodes.
To use a common key on both the active server node and the standby server node, copy the key file from the active server node to the copy file of the standby server node, overwriting any existing key files. The following figure shows the concept of using a common key.
|
|
![[Figure]](GRAPHICS/ZU020160.GIF)
To use different keys on the active server node and the standby server node, register the key files of the active server node and the standby server node at the monitored host. The following figure shows the concept of using different keys.
|
|
![[Figure]](GRAPHICS/ZU020170.GIF)
- Organization of this subsection
(1) Enabling the SSH server's public key authentication
To enable public key authentication:
-
Log on to the monitored host as a superuser.
-
Open /etc/ssh/sshd_config#.
-
Change PubkeyAuthentication to yes.
-
Save and close /etc/ssh/sshd_config#.
-
Execute the following command to start the sshd service:
[root@TargetHost.ssh]$ /etc/rc.d/init.d/sshd restart
- Reference note
-
To log on as a superuser to collect information, open /etc/ssh/sshd_config# and change PermitRootLogin to yes. After that, restart the sshd service.
- #
-
This will be /opt/ssh/etc/sshd_config when using HP-UX.
(2) Creating keys
This subsection explains the procedure for creating keys.
Log on to the PFM - RM host and create a key by executing PuTTY. You can select RSA or DSA encryption for the key type. The only difference between RSA and DSA encryption is the encryption algorithms; their operation methods are the same.
To create RSA keys:
-
From the Windows Start menu, choose All Programs, PuTTY, and then PuTTYgen.
The PuTTY Key Generator window appears.
-
Under Parameters, make sure that SSH-2 RSA is selected for Type of key to generate, and then click the Generate button.
A progress bar showing the key generation progress is displayed in Key.
Because PuTTY uses version 2 of the SSH protocol as the default, SSH-2 RSA is selected. For details about how to change the default used to version 1 of the SSH protocol, see the documentation for PuTTY.
-
Until the progress bar reaches 100%, randomly move the mouse in the dialog box to generate random numbers necessary for creating a key.
When the progress bar reaches 100%, the generated random numbers are displayed in Key and a key is generated.
-
Click the Save private key button to save the private key.
If you did not enter any value in Key passphrase or Confirm passphrase, a dialog box still appears. Do not enter any value in Key passphrase or Confirm passphrase and click the Yes button.
-
Click the Save public key button to save the public key.
(3) Placing the public key on the monitored hosts
Place the created public key on the monitored host. If there are multiple monitored hosts, distribute the key to all of them.
(a) Transferring the public key to the monitored host
Transfer the public key created at the PFM - RM host to the monitored host.
To transfer the public key:
-
Log on to the monitored host by using the value that was specified in User during monitoring target setup.
To use common account information, specify the value that is specified in User in common account information (ssh).
-
Execute the cd command to change the current directory to the .ssh directory under the home directory.
If the .ssh directory does not exist under the home directory, create it. For the .ssh directory attribute, specify 700 or 755. For the owner and group, specify the same as those specified for the user who was specified during the setup of the monitored host. If the attribute, owner, or group setting of the home directory or the .ssh directory is invalid, SSH connection might fail.
For details about how to specify directory attributes, see the documentation for the OS.
-
Start the command prompt at the PFM - RM host, and then change the current directory to the folder in which PuTTY is installed.
-
Execute the pscp command provided by PuTTY.
The following is an example of command execution when a public key is located in the PuTTY installation directory:
C:\Program Files\PuTTY>pscp.exe agt7.pub ClientUser@TargetHost:.ssh ClientUser@TargetHost's password: password agt7.pub | 0 kB | 0.3 kB/s | ETA: 00:00:00 | 100%
If a message appears asking if a fingerprint should be registered, enter n.
(b) Registering the public key at the monitored host
To register the public key at the monitored host:
-
Log on to the monitored host by using the value that was specified in User during monitoring target setup.
To use common account information, specify the value that is specified in User in common account information (ssh).
-
Execute the cd command to change the current directory to the .ssh directory.
-
Execute the ssh-keygen command with both the -i and -f options specified.
The public key created in PuTTY is converted into a format that can be used by OpenSSH.
-
Execute the rm command to delete the public key file received in (a) Transferring the public key to the monitored host.
-
Execute the chmod command to change the attribute of the authentication key file to 600.
An example of performing steps 2 through 5 follows:
[ClientUser@TargetHost ~]$ cd .ssh [ClientUser@TargetHost .ssh]$ ssh-keygen -i -f agt7.pub >> authorized_keys [ClientUser@TargetHost .ssh]$ rm agt7.pub [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys
The name of the authentication key file is set by AuthorizedKeysFile of /etc/ssh/sshd_config. For HP-UX, it is /opt/ssh/etc/sshd_config.
By default, ~/.ssh/authorized_keys is set.
(4) Checking the connection and registering a fingerprint
To check whether the PFM - RM host and a monitored host can connect to each other:
-
Log on to the PFM - RM host by using the value that was specified in RMHost_User during instance environment setup.
To use common account information, log on to the PFM - RM host by using the value that is specified in User in common account information (pfmhost).
-
Start the command prompt.
-
Using the created private key, execute PuTTY's plink command on the monitored host.
The connection process begins.
-
During the initial connection, register a fingerprint.
Register the fingerprint of the public key on the monitored host. Here, enter y. When you enter y, the monitored host's command prompt appears.
-
From the monitored host's prompt, execute the exit command to log out from the monitored host.
-
From the PFM - RM host, execute PuTTY's plink command on the monitored host to reconnect to it.
If the monitored host's prompt appears in subsequent connections without you having to enter any information, setup of the connection between the PFM - RM host and the monitored host is completed. From the monitored host's command prompt, execute the exit command to log out from the monitored host.
If an error occurs or if you are asked to enter anything, check to see if you have correctly followed the procedure.
A setting example for checking connection follows:
C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt7.ppk" -P 22 ClientUser@TargetHost The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y Using username "ClientUser". Last login: Wed Aug 4 13:29:55 2010 from xxx.xxx.xxx.xxx [ClientUser@TargetHost]$ exit logout C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt7.ppk" -P 22 ClientUser@TargetHost Using username "ClientUser". Last login: Wed Aug 4 13:30:00 2010 from xxx.xxx.xxx.xxx [ClientUser@TargetHost]$ exit logout C:\WINDOWS\system32>
- Notes:
-
-
PFM - RM for Platform assumes that fingerprint registration has already been completed. Because you can register a fingerprint during the initial SSH client connection, we recommend that you complete the procedure described here at that point.
-
If you change the user account specified for RMHost_User during the instance environment setup, you need to re-register a fingerprint. If you are using common account information, you also need to re-register a fingerprint when updating the value of User in common account information (pfmhost).
-
If you run PFM - RM for Platform in a cluster system, register a fingerprint on the standby node in the same way as on the executing node.
-
Confirm that a response is returned in less than 10 seconds when you execute a command such as uname on the monitored host from the PFM - RM host.
-
For details about PFM - Manager startup, see the chapter that describes startup and termination of Performance Management in the Job Management Partner 1/Performance Management User's Guide.