1.7.4 Procedure to set public key authentication for SSH connections
Perform the following procedure to set public key authentication:
Set up the SSH server.
Create a public key file and a private key file.
Deploy the private key file to the JP1/AO server.
Specify a passphrase for the private key.
Deploy the public key file to operation target devices.
The following describes the details of each step.
For details about the procedure performed for an OS, see the OS documentation.
To set up the SSH server:
Log in to the target device as a root user.
Open the sshd_config file.
The folder containing the file depends on the OS.
In HP-UX:
/opt/ssh/etc/sshd_config
In OSs other than HP-UX:
/etc/ssh/sshd_config
Set yes for the value of PubkeyAuthentication.
Execute the command to restart the sshd service. The following shows an example of executing the command for each OS.
However, the command might be different depending on the OS version.
-
In Red Hat Enterprise Linux 8:
systemctl restart sshd
In Red Hat Enterprise Linux 6.4:
/etc/rc.d/init.d/sshd restart
In Solaris 10:
/usr/sbin/svcadm restart ssh
In AIX 6.1:
kill -HUP sshd-process-ID
In HP-UX 11i V3:
/sbin/init.d/secsh stop; /sbin/init.d/secsh start
-
To create a public key and a private key:
Use the OS function or a tool to create a public key file and private key file. To use a tool, see the documentation of the tool for details about how to create the files.
Deploy the created private key file to the JP1/AO server, and the public key file to the operation target devices.
- Tip
We recommend that you create the public key file and private key file on the JP1/AO server. If you create these files on the JP1/AO server, there is no need to send the private key you created, thus allowing you to set public key authentication more safely.
For the key type, you can select RSA encryption or DSA encryption.
The permitted key length and key type depend on the OS. Create the public key file and private key file according to the OS specifications of the operation target device.
- Create a private key in PEM format.
The following shows an example of how to create the public key and private key for an operation target device.
Log in to the target device as a root user.
Execute the ssh-keygen command. Depending on the type of key to be created, enter as follows:
To create an RSA key, enter:
ssh-keygen -t rsa
To create a DSA key, enter:
ssh-keygen -t dsa
Specify the path and the file name used to output the private key.
Do not include multibyte characters in the path and file name.
A file containing the public key is output to the same path as the private key. The name of this file is the same as the private key file name with the extension .pub.
Specify a passphrase for the private key.
When you are prompted to enter a passphrase for the private key, enter the passphrase, and then press the Return key. When you are prompted, enter the passphrase again, and then press the Return key.
You can skip the specification of the passphrase. In this case, just press the Return key without entering anything.
Send the private key file you created to the JP1/AO server.
To deploy the private key to the JP1/AO server:
Use the following procedure to deploy the private key you created to the JP1/AO server:
Deploy the created private key file to any path on the JP1/AO server.
Specify the absolute path of the private key file for the ssh.privateKeyFile entry in the user-specified properties file (config_user.properties).
Stop the JP1/AO services.
- In a non-cluster system:
Execute the hcmds64srv command with the stop option specified.
- In a cluster system:
Use the cluster software to place the services offline.
Start the JP1/AO services.
- In a non-cluster system:
Execute the hcmds64srv command with the start option specified.
- In a cluster system:
Use the cluster software to place the services offline.
- Tip
We recommend that you deploy the private key file to a location other than in the JP1/AO installation folder. This is because if you deploy the private key file in the JP1/AO installation folder, the private key file is automatically deleted when JP1/AO is uninstalled.
If JP1/AO is used in a cluster configuration, make sure that the private key file is deployed in the same path on both the active server and the standby server. You can use the same or different private keys for the active server and standby server.
To specify a passphrase for the private key:
Specify the passphrase for the JP1/AO shared built-in service property. Note that this step is not necessary if you specified a null character for the passphrase when creating the private key file.
In the Administration window, in the Shared Properties Settings area, select the Pass phrase of the private key (for SSH public key authentication) shared built-in service property, and then click the Edit button.
In the Set Service Share Property dialog box, select the Change password check box, and then, in the Value text box, enter the passphrase that was specified when the private key file was created.
Click the OK button.
To deploy the public key to an operation target device:
Use the following procedure to deploy the public key file to an operation target device.
Add the contents of the public key file to the authorized_keys file by, for example, redirecting the cat command.
Execute the chmod command to specify 700 for the attribute of the folder that contains the authorized_keys file. By default, this file is contained in the .ssh folder.
Execute the chmod command to specify 600 for the attribute of the authorized_keys file.
- Tip
For JP1/AO used in a cluster configuration, if you want to use different private keys for the active and standby servers, deploy the public key file corresponding to the private key file on each server to operation target devices.