1.17.3 Configuring SSH (for Windows)

(1) Configuring an SSH server

To configure an SSH server, follow the procedure below. OS settings and commands may vary depending on the OS version. For details, see the manual for each OS and the release notes for JP1/IM - Manager.

1. Log on to the remotely monitored host as a user with root privileges.

2. Open sshd_config.

   For Linux, Solaris, or AIX: /etc/ssh/sshd_config

   For HP-UX (IPF): /opt/ssh/etc/sshd_config

3. Set yes for PubkeyAuthentication^#1.

4. Set the following items^{#1, #2}.

   • If you are using OpenSSH on Solaris or the OS is not Solaris

     Set no for UseDNS.

   • For Solaris

     Set no for LookupClientHostnames.

5. Set yes for PermitRootLogin^#1.

   Perform this step only when you are logged on as a user with root privileges to collect information.

6. Execute one of the following commands to restart the sshd service.

   The following describes the command to be executed for each OS.

   • For Linux (Linux 6 example)

     /etc/rc.d/init.d/sshd restart

   • For Solaris (Solaris 10 example)

     /usr/sbin/svcadm restart ssh

   • For AIX (AIX 7.1 example)

     kill -HUP sshd-process-ID

   • For HP-UX (HP-UX 11i V3 (IPF) example)

     /sbin/init.d/secsh stop; /sbin/init.d/secsh start

#1

For details about the items to be set and how to set them in sshd_config, see the documentation for your SSH server.

#2

If you do not set these items, make sure that the monitored host can perform name resolution as follows.

• The monitored host can resolve the IP address of the manager host to the host name.

• The IP address resolved from the host name of the manager host matches the IP address of the manager host.

If you are using a DNS server for name resolution and the monitored host cannot connect to the DNS server, the startup of remote-monitoring log file traps or the collection of log files might be delayed. If a delay occurs, the startup of traps or the collection of log files might time out and fail. To prevent this problem, we recommend that you set no for UseDNS and LookupClientHostnames.

To Page Top

(2) Initially creating keys

Log on as a user who remotely monitors the target host in the UNIX environment and execute the ssh-keygen command to create keys. This procedure needs to be performed only the first time that you create keys.

You can choose the type of keys (RSA or DSA).

Before you start the procedure, make sure that only the owner of the keys has the write permission for the directory above the .ssh directory. If anyone other than the owner has the write permission for the higher-level directory, SSH connections fail.

1. Log on as a user who can remotely monitor the target host in an UNIX environment.

2. Execute the ssh-keygen command.

   Enter the command as follows:

   • When creating RSA keys: ssh-keygen -t rsa

   • When creating DSA keys: ssh-keygen -t dsa

3. Determine the names of the file in which the private key will be stored and the directory that will hold the file.

   The path and the file name must not contain multibyte characters. The default setting is ~/.ssh/id_rsa.

4. Press the Return key twice.

   When you are prompted to enter the passphrase for the private key, enter nothing and press the Return key. When you are prompted again, enter nothing and press the Return key again.

   The following is an execution example of the ssh-keygen -t rsa command.

   [root@HOST]$ ssh-keygen -t rsa

   Generating public/private rsa key pair.

   Enter file in which to save the key (/home/ssh-user/.ssh/id_rsa):

   Enter passphrase (empty for no passphrase):

   Enter same passphrase again:

   Your identification has been saved in /home/ssh-user/.ssh/id_rsa.

   Your public key has been saved in /home/ssh-user/.ssh/id_rsa.pub.

   The key fingerprint is:

   ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@HOST

5. Execute the cat command to add the public key file to the authentication key file.

6. Execute the chmod command to change the attribute of the authentication key file to 600.

   The following is an execution example of the cat and chmod commands.

   [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys

   [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

7. Configure AuthorizedKeysFile in /etc/ssh/sshd_config.

   By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set. If you change the path for the authentication key file created in step 6, check and, if necessary, revise the value of AuthorizedKeysFile. If you change any settings in sshd_config, restart the sshd service as a superuser.

Cautionary notes

• Manage private keys with the utmost care.

• The creation of keys (public key and a private key pair) does not depend on any environment or tool. You can create keys in any environment using any tool. However, after you create keys, you must place the private keys and public keys in the appropriate locations.

To Page Top

(3) Placing the private key on the JP1/IM - Manager host (when keys are initially created)

When the OS of the JP1/IM - Manager host is Windows, place the private key created as described in 1.17.3(2) Initially creating keys on the JP1/IM - Manager host running Windows. The path for the location of the private key must not contain multibyte characters. This procedure needs to be performed only the first time that keys are created.

To Page Top

(4) Registering the location where the private key is placed

To register in the System Common Settings window the location on the JP1/IM - Manager host where the private key is placed:

1. In the IM Configuration Management window, from the menu bar, choose Edit and then System Common Settings.

   The System Common Settings window is displayed.

2. In the System Common Settings window, set the private key file path for SSH.

For details about the items displayed in the System Common Settings window, see 5.20 System Common Settings window in the manual JP1/Integrated Management 2 - Manager GUI Reference.

To Page Top

(5) Placing the public key on the host to be monitored remotely (when keys have already been created)

Place the public key created in 1.17.3(2) Initially creating keys on the host to be monitored remotely. To do so, perform the procedure described below. Note that this procedure needs to be performed only when keys are created on another host and that host will be monitored remotely.

Before you start the procedure, make sure that only the owner of the keys has the write permission for the directory above the .ssh directory. If anyone other than the owner has the write permission for the higher-level directory, SSH connections fail.

1. Log on as a user who can remotely monitor the target host.

2. Navigate to the .ssh directory.

   If the home directory of the user who performs remote monitoring does not contain the .ssh directory, create one. Set 700 as the attribute of the directory.

3. Execute the scp command to copy the public key file to the host to be monitored remotely.

   Copy the public key file created as described in 1.17.3(2) Initially creating keys to the monitored host. Copy the file to the .ssh directory in the home directory of the user who will perform remote monitoring.

4. Execute the cat command to add the contents of the public key file to the authentication key file.

5. Delete the copied public key file.

6. Execute the chmod command to change the attribute of the authentication key file to 600.

7. Configure AuthorizedKeysFile in /etc/ssh/sshd_config.

   By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set. If you change the path for the authentication key file created in step 6, check and, if necessary, revise the value of AuthorizedKeysFile. If you change any settings in sshd_config, restart the sshd service as a superuser.

An execution example of the scp command, the cat command, and the chmod command is shown below. In this example, the host name of the host where keys are created as described in 1.17.3(2) Initially creating keys is IMHost.

• Example of executing the commands:

  [ClientUser@TargetHost ]$ cd .ssh

  [ClientUser@TargetHost .ssh]$ scp

  root@IMHost:/home/ssh-user/.ssh/id_rsa.pub ./

  root@IMHost's password: Enter a password here.

  id_rsa 100% 233 0.2KB/s 00:00

  [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys

  [ClientUser@TargetHost .ssh]$ rm id_rsa.pub

  [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

To Page Top

(6) Specifying access permissions for monitored log files

If the monitored host is a UNIX host, any user who will be establishing SSH connections from the manager host to the monitored host will need the following access permissions:

• Monitored log files

  The user needs the read permission. If the monitored log files are in the SEQ2 format, the user also needs the read permission for the backup files of the monitored log files.

• Directory containing the monitored log files and all of its higher directories

  The user needs the read permission and the execute permission. If the monitored log files are in the SEQ2 format, the user also needs the read permission and the write permission for the directory containing the backup files of the monitored log files and for all of its higher directories.

To Page Top

(7) Checking connections

When SSH client software is installed on the JP1/IM - Manager host in a Windows environment, use the private key placed on the host to verify that you can establish an SSH connection with the remote host that is monitored. In addition, when you establish an SSH connection, make sure that a password and passphrase do not need to be entered.

If an error occurs or you are prompted to enter a password and a passphrase, check whether the settings are specified correctly as described. Also check the settings of the OS to make sure that the OS will allow SSH connections.

Note that during remote monitoring, the following commands must be executable on the hosts that are to be monitored remotely. Make sure that the users that perform remote monitoring can execute these commands.

• uname

• ls

• wc

• tail

• find

• grep

• head

Use the following procedures to check whether these commands can be executed.

To Page Top