Hitachi

JP1 Version 12 JP1/Integrated Management 2 - Manager Configuration Guide

3.3.1 Using IM Configuration Management to manage a virtualization configuration

This subsection describes the settings for using IM Configuration Management to manage a virtualization configuration.

Organization of this subsection

(1) Prerequisites for managing a virtualization configuration

The followings are the prerequisites for managing a virtualization configuration.

(a) Conditions for a manageable virtualization configuration

When you manage a KVM, you can manage the virtualization system configuration without virtualization environment management software. To manage virtualization software other than KVM, one of the following virtualization environment managers must be installed on the virtualization system management host.

  • vCenter

  • JP1/SC/CM

  • SCVMM

  • HCSM

The following table describes the requirements for using the above virtualization environment managers. The table after that gives the requirements for KVM.

Table 3‒1: Requirements for virtualization environment management software

Virtualization environment management software

Requirements for the manager

Requirements for the virtualization system management host

Requirements for the VMM host on which the guest OS is running

Requirements for the guest OS

vCenter

The user ID and the password of the account for accessing the vCenter host to which the manager connects are registered in IM Configuration Management.

The manager can communicate with the host on which vCenter is running.

VMware ESX has been installed.

VMware Tools are installed on the guest OSs running on VMware ESX hosts, and IP addresses and host names are assigned to the guest OSs.

JP1/SC/CM

None.

The manager can communicate with JP1/Base on the host on which JP1/SC/CM is running.

Hitachi Compute Blade logical partitioning feature has been installed.

IP addresses and host names are assigned to the guest OSs managed by Hitachi Compute Blade logical partitioning feature.

SCVMM

  • The domain name of the SCVMM host to which the manager connects, the names of users with administrator privileges in the domain, and the passwords of such users are registered in IM Configuration Management.

  • The SCVMM management console is installed on the manager.#1, #2

  • The version of the SCVMM management console matches the version of the SCVMM on the collection-target virtualization system management host.

  • The OS on the host on which SCVMM is running is Windows Server 2012 or Windows Server 2008 R2.

  • The SCVMM management console that is installed on the manager can communicate with the SCVMM that is installed on the virtualization system management host.

  • The version of SCVMM matches the virtualization system management hosts that are specified as collection targets by a specific manager.

Hyper-V or vCenter has been installed.

Hyper-V Integrated Services is installed on the guest OSs running on Hyper-V hosts, and IP addresses and host names are assigned to the guest OSs.

HCSM

  • The user name, the password, and the port number of the HCSM host to which the manager connects are registered in IM Configuration Management.

  • HTTP communication can be used with the above user name, password, and port number on the HCSM host to which the manager connects.

None.

  • HCSM manages the chassis and blade on which Hitachi Compute Blade logical partitioning feature is running.

  • HCSM manages the host whose virtualization system configuration is to be collected.

IP addresses and host names are assigned to the guest OSs managed by Hitachi Compute Blade logical partitioning feature.

#1: Do not install different versions of SCVMM management console on the same manager.

#2: Check prerequisite OSs for installing the SCVMM management console beforehand.

Table 3‒2: Requirements for KVM

Requirements for the manager

Requirements for the VMM host on the virtual host

Requirements for the guest OS

  • The OS user ID, the password of the private key, and port number of the KVM host to which the manager connects are registered in IM Configuration Management.

  • The manager can connect to the KVM host to which the manager wants to connect with SSH based on the information registered in IM Configuration Management.

  • The OS user registered in IM Configuration Management has root privileges.

The public key required for SSH connection with the manager has been distributed.

  • IP addresses and host names are assigned to the guest OSs managed by KVM.

  • The guest OSs managed by KVM can resolve the IP address and host name of the local host.

  • The host names of the guest OSs managed by KVM are the same as the host identification names defined by KVM.#

  • If the host names of the guest OSs are changed, the host identification names defined by KVM are also redefined as the same names.

#: When you collect the virtualization configuration information of KVM, collect the host identification name (called a domain name in KVM) displayed in Id Name when the virsh list command is executed, defined by KVM as the host name of a virtual host.

For details, see 7.3 Virtualization configuration management in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

(b) Conditions of JP1/Base for managing a virtualization configuration

Make sure that the following settings of JP1/Base satisfy the prerequisites for managing a virtualization configuration.

  • JP1 permission levels

    Use either of the following JP1 permission levels when using IM Configuration Management to manage a virtualization configuration.

    • JP1_CF_Admin

    • JP1_CF_Manager

    When you use IM Configuration Management - View to apply a virtualization system configuration to Central Scope, the JP1 user who logs on to IM Configuration Management - View must have the following permissions:

    • JP1 resource group: JP1_Console

    • JP1 permission level: JP1_Console_Admin

  • Requirements for registering hosts

    • When you register host names you obtain from the virtualization configuration information in IM Configuration Management without change, check whether the name of the event server of JP1/Base running on the hosts to be registered satisfies the following requirements:

      - When you register short host names in IM Configuration Management, the name of the event server of JP1/Base running on the hosts to be registered is a short name.

      - When you register FQDN host names in IM Configuration Management, the name of the event server of JP1/Base running on the hosts to be registered is an FQDN.

    • If the host names obtained from the virtualization configuration information differ from the host names you want to register in IM Configuration Management, use the Register Host window to register the hosts with the host names you want registered in IM Configuration Management.

To Page Top

(2) Setting virtualization configuration information

Use one of the following methods to specify information about the virtual hosts that are to be added to the JP1/IM system:

(a) Using the Register Host window to register virtual hosts

Invoke the Register Host window from the IM Configuration Management window to register new virtual hosts.

  1. In the IM Configuration Management window, click the Host List tab to display the Host List page.

  2. Use either of the following methods to display the Register Host window:

    • In the tree area, select Host List. From the menu bar, choose Edit, and then Register Host.

    • In the tree area, right-click Host List to display a pop-up menu and then choose Register Host.

  3. In the Register Host window, enter information in the blank boxes to register a new host.

    In the Host type section, select Physical host or Virtual host from the drop-down list.

    When you select Physical host in the Host type section

    In the Virtual Manager Settings window, in the Virtual Manager Type section, from the top drop-down list, select the name of virtualization management software installed on the host.

    When you select Virtual host in the Host type section

    In the VMM host box, specify the name of the host on which virtualization software is installed.

    In the Virtual Manager Type box, specify the name of the virtualization management software that manages the host.

(b) Collecting virtualization configuration information on the virtualization system management host

Collect virtualization configuration information on the virtualization system management host and set the virtualization configuration information of the managed host in IM Configuration Management.

For details about how to collect virtualization configuration information on the virtualization system management host, see 3.3.2 Collecting virtualization system configuration information.

To Page Top

(3) Adding virtual hosts to the system hierarchy

Use IM Configuration Management - View to add the virtual hosts in 3.3.1(2) Setting virtualization configuration information to the system hierarchy (IM configuration). For details about how to add hosts to the JP1/IM system configuration, see 3.2.4 Editing the system hierarchy.

To Page Top

(4) Applying the system hierarchy to the system

Use IM Configuration Management - View to apply the system hierarchy (IM configuration) that was set in 3.3.1(3) Adding virtual hosts to the system hierarchy to the system. For details about how to apply a system hierarchy to a system, see 3.2.4(3) Applying a system hierarchy to a system managed by IM Configuration Management.

Once you have applied the system hierarchy to the system, you can view the hierarchical relationships between physical and virtual hosts on the IM Configuration page in the IM Configuration Management window.

To Page Top

(5) Installing certificates

When you collect virtualization configuration information from hosts running vCenter and VMware ESX, you can choose between using SSL (https) and not using SSL (http).

Important

Due to vCenter and VMware ESX specifications, vCenter and VMware ESX version 5.5 and version 6 only support HTTPS as the communication type used for acquiring the virtualization configuration information.

In addition, for other versions, HTTP connections might not be supported due to vCenter and VMware ESX specifications. When HTTP connections cannot be used, use HTTPS as the connection protocol between JP1/IM - Manager and vCenter and VMware ESX. For details about the support status of the vCenter and VMware ESX connection protocol, contact the original distributer of vCenter and VMware ESX.

When the manager uses SSL to communicate with vCenter or VMware ESX, the certificate for the vCenter host or the VMware ESX host must be installed on the manager running JP1/IM - Manager. Install a certificate for each vCenter or VMware ESX host that the manager communicates with.

The following provides an overview of installing a vCenter host or a VMware ESX host certificate. For details, see the vCenter or VMware ESX documentation.

(a) Obtaining certificates

The two ways to obtain an SSL certificate from VMware ESX are by using Internet Explorer and by obtaining the certificate files directly. To obtain an SSL certificate from vCenter, use Internet Explorer. This subsection describes both methods.

■ Using Internet Explorer

If you are using Internet Explorer to obtain SSL certificates from VMware ESX or vCenter, see Internet Explorer's Help.

■ Obtaining certificate files directly

In the case of VMware ESX 3.5, a certificate file is stored in /etc/vmware/ssl/rui.crt on the VMware ESX host.

(b) Installing certificates in IM Configuration Management

Install the obtained certificate in IM Configuration Management using the procedure described below.

■ In Windows

This procedure must be performed by a user with Administrator permissions.

To install a certificate in IM Configuration Management:

  1. Open a command prompt and move to Manager-path\bin\jdk\bin.

  2. Execute the Keytool command to install the certificate in IM Configuration Management.

    keytool -import -file certificate-file-name -alias host-name -keystore ..\..\..\data\imcf\vmware.keystore

    For certificate-file-name, specify the name of the certificate file (including path) that was acquired in (a) Obtaining certificates.

    Note: If you want to install a certificate for a logical host, replace ..\..\.. with shared-directory\JP1IMM.

    For certificate-file-name, specify the name of the certificate file (including the path) that was obtained in 3.3.1(5)(a) Obtaining certificates. For host-name, specify the name of the vCenter host or the VMware ESX host from which the certificate is to be obtained.

  3. Enter any password for the key store.

    If you install multiple certificates, enter the same password for each of them.

  4. When a message asking whether the certificate is to be trusted is displayed, enter yes.

    The certificate is installed in IM Configuration Management.

  5. Repeat steps 1 to 4 for each vCenter host or VMware ESX host.

■ In UNIX

This procedure must be performed by a user with superuser permissions.

To install a certificate in IM Configuration Management:

  1. Open the console or terminal, and then execute cd /opt/jp1imm/bin/jdk/bin.

  2. Execute the Keytool command to install the certificate in IM Configuration Management.

    ./keytool -import -file certificate-file-name -alias host-name -keystore /var/opt/jp1imm/data/imcf/vmware.keystore

    Note: If you want to install a certificate for a logical host, replace /var/opt/jp1imm with shared-directory/jp1imm.

    For certificate-file-name, specify the name of the certificate file (including the path) that was obtained in 3.3.1(5)(a) Obtaining certificates.

    For host-name, specify the name of the vCenter host or the VMware ESX host from which the certificate is to be obtained.

  3. Enter any password for the key store.

    If you install multiple certificates, enter the same password for each of them.

  4. When a message asking whether the certificate is to be trusted is displayed, enter yes.

    The certificate is installed in IM Configuration Management.

  5. Repeat steps 1 to 4 for each vCenter host or VMware ESX host.

(c) Deleting certificates from IM Configuration Management

This subsection explains how to delete certificates from IM Configuration Management.

■ In Windows

  1. Open a command prompt and move to Manager-path\bin\jre\bin.

  2. Execute the Keytool command to delete a certificate from IM Configuration Management.

    keytool -delete -alias host-name -keystore ..\..\..\data\imcf\vmware.keystore

    Note: If you want to delete the certificate for a logical host, replace ..\..\.. with shared-directory\JP1IMM.

    For host-name, specify the name of the vCenter host or the VMware ESX host from which the certificate you want to delete was obtained.

  3. Enter the password that was specified in 3.3.1(5)(b) Installing certificates in IM Configuration Management.

    The specified vCenter host or VMware ESX host certificate is deleted from IM Configuration Management.

■ In UNIX

  1. Open the console or terminal, and then execute cd /opt/jp1imm/bin/jre/bin.

  2. Execute the Keytool command to delete a certificate from IM Configuration Management.

    ./keytool -delete -alias host-name -keystore /var/opt/jp1imm/data/imcf/vmware.keystore

    Note: If you want to delete the certificate for a logical host, replace /var/opt/jp1imm with shared-directory/jp1imm.

    For host-name, specify the name of the vCenter host or the VMware ESX host from which the certificate you want to delete was obtained.

  3. Enter the password that was specified in 3.3.1(5)(b) Installing certificates in IM Configuration Management.

    The certificate for the specified vCenter host or VMware ESX host is deleted from IM Configuration Management.

To Page Top

(6) Changing the communication type for VMware ESX

The jcfcolvmesx command enables you to communicate with VMware ESX using an interface of VMware Infrastructure SDK in order to acquire virtualization configuration information.

The default is the setting that allows only the method that uses SSL (https).

This subsection provides an overview of how to change the communication type permitted by VMware Infrastructure SDK. Note, however, that the procedure might differ depending on the version of VMware ESX. For details, see the VMware ESX documentation.

To change the communication type for VMware ESX:

  1. Log on to the service console of VMware ESX with superuser permissions.

  2. Move to /etc/vmware/hostd.

  3. Use a text editor to open the proxy.xml file.

  4. Change the VMware Infrastructure SDK item in the <EndpointList> tag in the proxy.xml file and then save the file.

    In the following example, change the item in bold type according to the communication type that is to be used.

    ...

    <e id="1">

    <_type>vim.ProxyService.NamedPipeServiceSpec</_type>

    <accessMode>httpsWithRedirect</accessMode>

    <pipeName>/var/rum/vmware/proxy-sdk</pipeName>

    <serverNamespace>/sdk</serverNamespace>

    </e>

    ...

    • To allow only the method that uses SSL (https), specify httpsWithRedirect.

    • To allow only the method that does not use SSL (http), specify httpOnly.

    • To allow both the method that uses SSL (https) and the method that does not use SSL (http), specify httpAndHttps.

  5. Execute the following command to restart the vmware-hostd process:

    service mgmt-vmware restart

To Page Top

(7) Changing the communication type for vCenter

The jcfcolvmvc command enables you to communicate with vCenter using a VMware Infrastructure SDK interface in order to obtain virtualization configuration information. The virtualization configuration collection function that works for vCenter hosts via the IM Configuration Management window operates in the same way.

By default, only communication using SSL (https) is permitted.

The following provides an overview of how to change the communication type permitted by VMware Infrastructure SDK. Note, however, that the procedure might differ depending on the version of vCenter. For details, see the vCenter documentation.

  1. Log on to the vCenter host as a user with Administrator permissions.

  2. Navigate to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter.

  3. Use a text editor to open the proxy.xml file.

  4. Change the VMware Infrastructure SDK item in the <EndpointList> tag in the proxy.xml file, and then save the file.

    In the following example, change the item in bold type according to the communication type that is to be used.

    ...

    <e id="5">

    <_type>vim.ProxyService.LocalServiceSpec</_type>

    <accessMode>httpsWithRedirect</accessMode>

    <port>8085</port>

    <serverNamespace>/sdk</serverNamespace>

    </e>

    ...

    • To allow only the method that uses SSL (https), specify httpsWithRedirect.

    • To allow only the method that does not use SSL (http), specify httpOnly.

    • To allow both methods, specify httpAndHttps.

  5. Use the command line or the Services window to restart vCenter Service.

To Page Top

(8) Setting up an SSH connection with the host started by KVM (in Windows)

This subsection describes how to configure SSH when the JP1/IM - Manager host is running in a Windows environment. SSH uses public-key cryptography for authentication.

To establish SSH connections, you need to:

Important

Do not use interactive commands such as stty, tty, tset, and script in the login script of the user who is permitted to establish SSH connections. If you must use these commands in the login script, create another user who is permitted to establish SSH connections for the host on which KVM has been installed. Alternatively, change the login script of the user who is permitted to establish SSH connections so that these commands will not be executed.

(a) Configuring an SSH server

To configure an SSH server:

  1. Log on to the host on which KVM has been installed as a user with root privileges.

  2. Open /etc/ssh/sshd_config.

  3. Set yes for PubkeyAuthentication#1.

  4. Set no for UseDNS#1, #2.

  5. Set yes for PermitRootLogin#1.

  6. Execute the following command to restart the sshd service.

    /etc/rc.d/init.d/sshd restart

    Note that these commands might differ depending on the version of the OS. For details, see the documentation of the applicable OS.

#1

For details about the items to be set and how to set them in sshd_config, see the documentation for your SSH server.

#2

If you do not set these items, make sure that the host on which KVM has been installed can perform name resolution as follows.

  • The host can resolve the IP address of the manager host to the manager host name.

  • The IP address resolved from the host name of the manager host matches the IP address of the manager host.

If you are using a DNS server for name resolution and the host on which KVM has been installed cannot connect to the DNS server, the collection of virtualization configuration information from KVM might be delayed. If a delay occurs, startup or collection might time out and fail. To prevent this problem, we recommend that you set no for UseDNS and LookupClientHostnames.

(b) Initially creating keys

Log on to the host on which KVM has been installed as a user who collects virtualization configuration information from KVM and execute the ssh-keygen command to create keys. You only need to do this the first time that you create keys.

You can choose the type of keys (RSA or DSA).

Before you start the procedure, make sure that only the owner of the keys has write permission for the directory above the .ssh directory. If anyone other than the owner has write permission for the higher-level directory, SSH connections will fail.

  1. Log on to the host on which KVM has been installed as a user who can collect virtualization configuration information from KVM.

  2. Execute the ssh-keygen command.

    Enter the command as follows:

    • When creating RSA keys: ssh-keygen -t rsa

    • When creating DSA keys: ssh-keygen -t dsa

  3. Determine the name of the file in which the private key will be stored and the directory that will hold the file.

    The path and the file name must not contain multibyte characters. The default setting is ~/.ssh/id_rsa.

  4. Press the Return key twice.

    When you are prompted to enter the passphrase for the private key, enter nothing and press the Return key. When you are prompted again, enter nothing and press the Return key again.

    The following is an example of executing the ssh-keygen -t rsa command.

    [root@HOST]$ ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/home/ssh-user/.ssh/id_rsa):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /home/ssh-user/.ssh/id_rsa.

    Your public key has been saved in /home/ssh-user/.ssh/id_rsa.pub.

    The key fingerprint is:

    ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@HOST

  5. Execute the cat command to add the public key file to the authentication key file.

  6. Execute the chmod command to change the attribute of the authentication key file to 600.

    The following is an example of executing the cat and chmod commands.

    [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys

    [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

  7. Configure AuthorizedKeysFile in /etc/ssh/sshd_config.

    By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set. If you change the path for the authentication key file created in step 6, check and, if necessary, revise the value of AuthorizedKeysFile. If you change any settings in sshd_config, restart the sshd service as a superuser.

Cautionary notes

  • Manage private keys with the utmost care.

  • The creation of keys (public key and a private key pair) does not depend on any environment or tool. You can create keys in any environment using any tool. However, after you create keys, you must place the private keys and public keys in the appropriate locations.

(c) Placing the private key on the JP1/IM - Manager host (when keys are initially created)

When the OS of the JP1/IM - Manager host is Windows, place the private key created as described in 3.3.1(8)(b) Initially creating keys on the JP1/IM - Manager host running Windows. The path for the location of the private key must not contain multibyte characters. This only needs to be done the first time that keys are created.

(d) Placing the public key on the host on which KVM has been installed (when keys have already been created)

Place the public key created in 3.3.1(8)(b) Initially creating keys on the host on which KVM has been installed. To do so, follow the procedure below. Note that this only needs to be done when keys were created on another host.

Before you start the procedure, make sure that only the owner of the keys has write permission for the directory above the .ssh directory. If anyone other than the owner has write permission for the higher-level directory, SSH connections will fail.

  1. Log on to the host on which KVM has been installed as a user who can collect virtualization configuration information from KVM.

  2. Navigate to the .ssh directory.

    If the home directory of the user who collects virtualization configuration information from KVM does not contain the .ssh directory, create one. Set 700 as the attribute of the directory.

  3. Execute the scp command to copy the public key file to the host on which KVM has been installed.

    Copy the public key file created as described in 3.3.1(8)(b) Initially creating keys to the monitored host. Copy the file to the .ssh directory in the home directory of the user who will collect virtualization configuration information from KVM.

  4. Execute the cat command to add the contents of the public key file to the authentication key file.

  5. Delete the copied public key file.

  6. Execute the chmod command to change the attribute of the authentication key file to 600.

  7. Configure AuthorizedKeysFile in /etc/ssh/sshd_config.

    By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set. If you change the path for the authentication key file created in step 6, check and, if necessary, revise the value of AuthorizedKeysFile. If you change any settings in sshd_config, restart the sshd service as a superuser.

An example of executing the scp, cat, and chmod commands is shown below. In this example, the host name of the host where keys are created as described in 3.3.1(8)(b) Initially creating keys is IMHost.

  • Example of executing the commands:

    [ClientUser@TargetHost ]$ cd .ssh

    [ClientUser@TargetHost .ssh]$ scp

    root@IMHost:/home/ssh-user/.ssh/id_rsa.pub ./

    root@IMHost's password: Enter a password here.

    id_rsa 100% 233 0.2KB/s 00:00

    [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys

    [ClientUser@TargetHost .ssh]$ rm id_rsa.pub

    [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

(e) Checking connections

When SSH client software is installed on the JP1/IM - Manager host in a Windows environment, use the private key placed on the host as described in 3.3.1(8)(c) Placing the private key on the JP1/IM - Manager host (when keys are initially created) and check whether you can establish an SSH connection with the host on which KVM has been installed. In addition, when you establish an SSH connection, make sure that a password and passphrase do not need to be entered.

If an error occurs or you are prompted to enter a password and a passphrase, check whether the settings are specified correctly as described. Also check the settings of the OS to make sure that the OS will allow SSH connections.

Note that when virtualization configuration information from KVM is collected, the following commands must be executable on the hosts on which KVM has been installed. Make sure that the users that collect virtualization configuration information from KVM can execute these commands. If these commands cannot be executed, make sure that KVM has been installed correctly and that the command path has been set correctly.

  • virsh version

  • virsh list --all

To Page Top

(9) Setting up an SSH connection with the host started by KVM (in UNIX)

This subsection describes how to configure SSH when the JP1/IM - Manager host is running in a UNIX environment. SSH uses public-key cryptography for authentication.

To establish SSH connections, you need to:

Important

Do not use interactive commands such as stty, tty, tset, and script in the login script of the user who is permitted to establish SSH connections. If you must use these commands in the login script, create another user who is permitted to establish SSH connections for collecting virtualization configuration information from KVM. Alternatively, change the login script of the user who is permitted to establish SSH connections so that these commands will not be executed.

(a) Configuring an SSH server

To configure an SSH server:

  1. Log on to the host on which KVM has been installed as a user with root privileges.

  2. Open /etc/ssh/sshd_config.

  3. Set yes for PubkeyAuthentication#1.

  4. Set no for UseDNS#1, #2.

  5. Set yes for PermitRootLogin#1.

  6. Execute the following command to restart the sshd service.

    /etc/rc.d/init.d/sshd restart

    Note that these commands might differ depending on the version of the OS. For details, see the documentation of the applicable OS.

#1

For details about the items to be set and how to set them in sshd_config, see the documentation for your SSH server.

#2

If you do not set these items, make sure that the host on which KVM has been installed can perform name resolution as follows.

  • The host can resolve the IP address of the manager host to the manager host name.

  • The IP address resolved from the host name of the manager host matches the IP address of the manager host.

If you are using a DNS server for name resolution and the host on which KVM has been installed cannot connect to the DNS server, the collection of virtualization configuration information from KVM might be delayed. If a delay occurs, startup or collection might time out and fail. To prevent this problem, we recommend that you set no for UseDNS and LookupClientHostnames.

(b) Initially creating keys

Log on to the JP1/IM - Manager host in a UNIX environment a user with root privileges and execute the ssh-keygen command to create keys. You only need to do this the first time that you create keys.

You can choose the type of keys (RSA or DSA).

  1. Log on to the JP1/IM - Manager host as a user with root privileges.

  2. Execute the ssh-keygen command.

    Enter the command as follows:

    • When creating RSA keys: ssh-keygen -t rsa

    • When creating DSA keys: ssh-keygen -t dsa

  3. Determine the names of the file in which the private key will be stored and the directory that will hold the file.

    The path and the file name must not contain multibyte characters. The default setting is ~/.ssh/id_rsa.

  4. Press the Return key twice.

    When you are prompted to enter the passphrase for the private key, enter nothing and press the Return key. When you are prompted again, enter nothing and press the Return key again.

    The following is an example of executing the ssh-keygen -t rsa command.

    [root@HOST]$ ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/home/ssh-user/.ssh/id_rsa):

    Enter passphrase (empty for no passphrase):

    Enter same passphrase again:

    Your identification has been saved in /home/ssh-user/.ssh/id_rsa.

    Your public key has been saved in /home/ssh-user/.ssh/id_rsa.pub.

    The key fingerprint is:

    ax:xx:xx:xx:xx:bx:xx:xc:xx:xx:xx:xd:xd:xa:ed:xx root@HOST

Cautionary notes

  • Manage private keys with the utmost care.

  • The creation of keys (public key and a private key pair) does not depend on any environment or tool. You can create keys in any environment using any tool. However, after you create keys, you must place the private keys and public keys in the appropriate locations.

(c) Placing the public key on the host on which KVM has been installed

Place the public key created in 3.3.1(9)(b) Initially creating keys on the host on which KVM has been installed. To do so, follow the procedure below.

Before you start the procedure, make sure that only the owner of the keys has write permission for the directory above the .ssh directory. If anyone other than the owner has write permission for the higher-level directory, SSH connections will fail.

  1. Log on to the host on which KVM has been installed as a user who can collect virtualization configuration information from KVM.

  2. Navigate to the .ssh directory.

    If the home directory of the user who collects virtualization configuration information from KVM does not contain the .ssh directory, create one. Set 700 as the attribute of the directory.

  3. Execute the scp command to copy the public key file to the host on which KVM has been installed.

    Copy the public key file created as described in 3.3.1(9)(b) Initially creating keys to the host on which KVM has been installed. Copy the file to the .ssh directory in the home directory of the user who will collect virtualization configuration information from KVM.

  4. Execute the cat command to add the contents of the public key file to the authentication key file.

  5. Delete the copied public key file.

  6. Execute the chmod command to change the attribute of the authentication key file to 600.

  7. Configure AuthorizedKeysFile in /etc/ssh/sshd_config.

    By default, ~/.ssh/authorized_keys or .ssh/authorized_keys is set. If you change the path for the authentication key file created in step 6, check and, if necessary, revise the value of AuthorizedKeysFile. If you change any settings in sshd_config, restart the sshd service as a superuser.

An example of executing the scp, cat, and chmod commands is shown below. In this example, the host name of the JP1/IM - Manager host where keys are created as described in 3.3.1(9)(b) Initially creating keys is IMHost.

  • Example of executing the commands:

    [ClientUser@TargetHost ]$ cd .ssh

    [ClientUser@TargetHost .ssh]$ scp root@IMHost:/home/ssh-user/.ssh/id_rsa.pub ./

    root@IMHost's password: Enter a password here.

    id_rsa.pub 100% 233 0.2KB/s 00:00

    [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys

    [ClientUser@TargetHost .ssh]$ rm id_rsa.pub

    [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys

(d) Checking connections

To check whether the JP1/IM - Manager host can connect to the host on which KVM has been installed:

  1. Log on to the JP1/IM - Manager host as a user with root privileges.

  2. Use the created private key to execute the ssh command on the host on which KVM has been installed.

If the connection succeeds without any entry, the SSH setting has been completed.

If an error occurs or you are prompted to enter a password and a passphrase, check whether the settings are specified correctly as described. Also check the settings of the OS to make sure that the OS will allow SSH connections.

The following example executes the ssh command to check connections:

In this example, the host name of the JP1/IM - Manager host is IMHost, the host name of the monitored host is TargetHost, and the user name that will collect virtualization configuration information from KVM is ssh-user.

  • Example of executing the commands:

    [root@IMHost]$ /usr/bin/ssh -i /home/ssh-user/.ssh/id_rsa -p 22 ssh-user@TargetHost

    The authenticity of host 'TargetHost (xxx.xxx.xxx.xxx)' can't be established.

    RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.

    Are you sure you want to continue connecting (yes/no)? yes

    Warning: Permanently added 'TargetHost,xxx.xxx.xxx.xxx' (RSA) to the list of known hosts.

    Last login: Mon Mar 23 17:17:52 2011 from xxx.xxx.xxx.xxx

    [ssh-user@TargetHost ~]$ exit

    logout

    Connection to TargetHost closed.

    [root@IMHost]$

Note that when virtualization configuration information from KVM is collected, the following commands must be executable on the hosts on which KVM has been installed. Make sure that the users that collect virtualization configuration information from KVM can execute these commands. If these commands cannot be executed, make sure that KVM has been installed correctly and that the command path has been set correctly.

  • virsh version

  • virsh list --all

To Page Top

Copyright (C) 2019, 2021, Hitachi, Ltd.

Copyright (C) 2019, 2021, Hitachi Solutions, Ltd.