Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/Performance Management - Remote Monitor for Platform Description, User's Guide and Reference

3.2.5 SSH (for UNIX) connection setting method

This subsection describes how to set SSH connection. For SSH authentication, the public key authentication method is used.

To connect SSH, you need the following settings:

The following figure shows the concept of public key authentication.

Figure 3‒16: Concept of public key authentication

[Figure]

There are two ways to perform public key authentication in a cluster system. One is by using the same key for both executing and standby nodes, and the other is by using different keys.

To use the same key for both executing and standby nodes, copy the standby node's key file to the executing node's key file by overwriting. The following figure shows the concept of public key authentication using the same key.

Figure 3‒17: Concept of public key authentication (using the same key for both executing and standby nodes)

[Figure]

To use different keys for the executing and standby nodes, you must register the key files for both the executing node and the standby node into the monitored hosts. The following figure shows the concept of public key authentication using different keys.

Figure 3‒18: Concept of public key authentication (using different keys for executing and standby nodes)

[Figure]
Organization of this subsection

(1) Enabling the SSH server's public key authentication

To enable public key authentication:

  1. Log on to the monitored host as a superuser.

  2. Open /etc/ssh/sshd_config#.

  3. Set PubkeyAuthentication to yes.

  4. Save and close /etc/ssh/sshd_config#.

  5. Execute the following command to restart the sshd service:

    [root@TargetHost.ssh]$ /etc/rc.d/init.d/sshd restart
    Reference note

    To log on as a superuser to collect information, open /etc/ssh/sshd_config# and change PermitRootLogin to yes. After that, restart the sshd service.

    #

    This will be /opt/ssh/etc/sshd_config when using HP-UX.

To Page Top

(2) Creating keys

Keys are created automatically. Although you can create keys manually, we recommend that you use the keys that are created automatically unless otherwise necessary.

(a) Creating keys automatically

When you install PFM - RM for Platform, both private and public keys are created automatically in /opt/jp1pc/agt7/.ssh/.

The following table lists and describes the storage directory for the private and public keys, the file names, and the settings.

Table 3‒40: Storage directory for the private and public keys, the file names, and settings

No.

Storage directory and file name

Attribute

Owner

Description

1

/opt/jp1pc/agt7/.ssh/

--

700

root:root

Hidden directory for storing private and public keys

2

agt7

600

Private key file

3

agt7.pub

644

Public key file
Legend:

--: Not applicable

Important note

When you use an automatically created key, do not delete the created key file. If you delete it, the key information will not match the monitored host when the key file is automatically re-created due to an overwrite installation or version upgrade. Consequently, you will no longer be able to connect to the monitored host. If you cannot connect the monitored host following an overwrite installation or version upgrade because the key file has been deleted, perform the procedure described in (3) Placing the public key on the monitored hosts and place the public key on all monitored hosts again.

(b) Creating keys manually

This subsection describes how to create keys manually.

You can create keys by logging on to the PFM - RM host as a superuser and then executing the ssh-keygen command. The only difference between RSA and DSA encryption is the encryption algorithms; their operation methods are the same.

To create RSA keys:

  1. Log on to the PFM - RM host as a superuser.

  2. Execute the ssh-keygen -t rsa command.

    This command creates an RSA key.

    To create a DSA key, specify the -s dsa option instead of the -t rsa option.

  3. Determine the destination and name of the private key.

    By default, ~/.ssh/id_rsa(RSA) is set.

  4. Press the Enter key twice.

    When you are asked to enter a pass phrase for the private key, press the Enter key without entering anything. When re-entry is prompted, press the Enter key again without entering anything.

The following shows an example of ssh-keygen -t rsa command execution: 

[root@RMHost]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <Enter>
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@RMHost
Notes about creating keys

  • Securely manage information about private keys.

  • Creation of keys (a pair of public and private keys) should not introduce any problem in any environment or tool because it does not depend on environments or tools. However, after creating keys, you must place the private and public keys appropriately.

To Page Top

(3) Placing the public key on the monitored hosts

Place the created public key on the monitored hosts. When there are multiple monitored hosts, be sure to perform this procedure on all of them.

To place the public key on a monitored host:

  1. Log on to the monitored host by using the value that was specified in User during monitoring target setup.

    To use common account information, specify the value that is specified in User in common account information (ssh).

  2. Execute the cd command to change the current directory to the .ssh directory under the home directory.

    If the .ssh directory does not exist under the home directory, create it. For the .ssh directory attribute, specify 700 or 755. For the owner and group, specify the same as those specified for the user who was specified during the setup of the monitored host. If the attribute, owner, or group setting of the home directory or the .ssh directory is invalid, SSH connection might fail.

  3. Execute the scp command.

    The public key file that has already been created is received.

  4. Execute the cat command.

    The contents of the public key file are redirected to the authentication key file. Also, the contents of the received public key file are added to the authentication key file.

    The name of the authentication key file is set by AuthorizedKeysFile of /etc/ssh/sshd_config. For HP-UX, it is /opt/ssh/etc/sshd_config.

    By default, ~/.ssh/ authorized_keys is set.

  5. Execute the rm command to delete the received public key file.

  6. Execute the chmod command to change the attribute of the authentication key file to 600.

An example of performing steps 2 through 6 follows:

[ClientUser@TargetHost ]$ cd .ssh
[ClientUser@TargetHost .ssh]$ scp root@RMHost:/opt/jp1pc/agt7/.ssh/agt7.pub .
root@RMHost's password: password
agt7.pub                                 100%  233     0.2KB/s   00:00
[ClientUser@TargetHost .ssh]$ cat agt7.pub >> authorized_keys
[ClientUser@TargetHost .ssh]$ rm agt7.pub
[ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

You can also execute the ssh-copy-id command on the PFM - RM host to place the public key on the monitored hosts. When you use the ssh-copy-id command, there is no need to change the specification of the .ssh directory in which to place the public key, or the name and attribute of the public key.

To use the ssh-copy-id command to place the public key:

  1. Log on to the PFM - RM host as a superuser.

  2. Execute the ssh-copy-id command.

    The public key is copied.

    For details about the ssh-copy-id command, see the OpenSSH documentation.

An example of performing steps 1 and 2 follows:

[root@RMHost ]$ /usr/bin/ssh-copy-id -i /opt/jp1pc/agt7/.ssh/agt7.pub ClientUser@TargetHost
29
The authenticity of host 'TargetHost (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'TargetHost,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.
ClientUser@TargetHost's password: password
Now try logging into the machine, with "ssh 'ClientUser@TargetHost'", and check in:
 
  .ssh/authorized_keys
 
to make sure we haven't added extra keys that you weren't expecting.

To Page Top

(4) Checking the connection and registering a fingerprint

To check whether the PFM - RM host and a monitored host can connect to each other:

  1. Log on to the PFM - RM host as a superuser.

  2. Using the created private key, execute the ssh client command on the monitored host.

    The connection process begins.

  3. During the initial connection, register a fingerprint.

    Register the fingerprint of the public key of the monitored host. Here, enter yes. When you enter yes, the monitored host's command prompt appears.

  4. From the monitored host's command prompt, execute the exit command to log out from the monitored host.

  5. From the PFM - RM host, execute the ssh client command on the monitored host to reconnect to it.

    If the monitored host's prompt appears in subsequent connections without you having to enter any information, setup of the connection between the PFM - RM host and the monitored host is completed. From the monitored host's command prompt, execute the exit command to log out from the monitored host.

    If an error occurs or an entry is requested, check if the procedure was executed correctly.

The following shows an example of the settings for checking the connection:

[root@RMHost]$ /usr/bin/ssh -i /opt/jp1pc/agt7/.ssh/agt7 -p 22 ClientUser@TargetHost
The authenticity of host 'TargetHost (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'TargetHost,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.
Last login: Mon Mar 23 17:17:52 2009 from xxx.xxx.xxx.xxx
[ClientUser@TargetHost ~]$ exit
logout
 
Connection to TargetHost closed.
[root@RMHost]$ /usr/bin/ssh -i /opt/jp1pc/agt7/.ssh/agt7 -p 22 ClientUser@TargetHost
Last login: Mon Mar 23 17:18:00 2009 from xxx.xxx.xxx.xxx
[ClientUser@TargetHost ~]$ exit
logout
 
Connection to TargetHost closed.
[root@RMHost]$
Notes:

  • PFM - RM for Platform assumes that fingerprint authentication has already been completed. Because you can register a fingerprint during the initial SSH client connection, we recommend that you complete the procedure described here at that point.

  • Confirm that a response is returned in less than 10 seconds when you execute a command such as uname on the monitored host from the PFM - RM host.

For details about PFM - Manager startup, see the chapter that describes startup and termination of Performance Management in the Job Management Partner 1/Performance Management User's Guide.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2013, 2014, Hitachi, Ltd.