3.1.6 SSH connection setting method for Windows (when the PFM - RM host is running Windows and the monitored host is running UNIX)
This subsection explains how to set up the SSH connection settings necessary for collecting performance data from a monitored host running UNIX. For SSH authentication, you use the public key authentication method.
To connect SSH, settings for the following are required:
-
Enabling public key authentication for the SSH server
Specify this on the monitored host.
-
Creating a key
Specify this on the PFM - RM host.
-
Placing the private key on the PFM - RM host
Specify this on the PFM - RM host.
-
Placing the public key on the monitored host
Specify this on the monitored host.
The following figure provides an overview of public key authentication.
|
|
![[Figure]](GRAPHICS/ZU020130.GIF)
For public key authentication in a cluster system, you can either use a common key on both the active server node and the standby server node, or use different keys on these nodes.
To use a common key on both the active server node and the standby server node, copy the key file from the active server node to the copy file of the standby server node, overwriting any existing key files. The following figure shows the concept of using a common key.
|
|
![[Figure]](GRAPHICS/ZU020160.GIF)
To use different keys on the active server node and the standby server node, register the key files of the active server node and the standby server node at the monitored host. The following figure shows the concept of using different keys.
|
|
![[Figure]](GRAPHICS/ZU020170.GIF)
- Organization of this subsection
(1) Enabling the SSH server's public key authentication
To enable public key authentication:
-
Log on to the monitored host as a superuser.
-
Open /etc/ssh/sshd_config#.
-
Change PubkeyAuthentication to yes.
-
Save and close /etc/ssh/sshd_config#.
-
Execute the following command to start the sshd service:
-
For Linux 7, SUSE Linux 12, or SUSE Linux 15
[root@TargetHost.ssh]$ systemctl restart sshd.service
-
For other OSs
[root@TargetHost.ssh]$ /etc/rc.d/init.d/sshd restart
- Note
-
To log on as a superuser to collect information, open /etc/ssh/sshd_config# and change PermitRootLogin to yes. After that, restart the sshd service.
- #
-
This will be /opt/ssh/etc/sshd_config when using HP-UX.
-
(2) Creating keys
This subsection explains the procedure for creating keys.
Log on to the PFM - RM host and create a key by using the functionality provided by the SSH client.
- When using PuTTY as the SSH client
You can select RSA or DSA encryption for the key type. The only difference between RSA and DSA encryption is the encryption algorithms; their operation methods are the same.
The following example shows how to create RSA keys.
-
From the Windows Start menu, choose All Programs, PuTTY, and then PuTTYgen.
The PuTTY Key Generator window appears.
-
Under Parameters, make sure that SSH-2 RSA is selected for Type of key to generate, and then click the Generate button.
A progress bar showing the key generation progress is displayed in Key.
Because PuTTY uses version 2 of the SSH protocol as the default, SSH-2 RSA is selected. For details about how to change the default used to version 1 of the SSH protocol, see the documentation for PuTTY.
-
Until the progress bar reaches 100%, randomly move the mouse in the dialog box to generate random numbers necessary for creating a key.
When the progress bar reaches 100%, the generated random numbers are displayed in Key and a key is generated.
-
Click the Save private key button to save the private key.
If you did not enter any value in Key passphrase or Confirm passphrase, a dialog box still appears. Do not enter any value in Key passphrase or Confirm passphrase and click the Yes button.
-
Click the Save public key button to save the public key.
- When using OpenSSH (supplied with Windows Server 2019) as the SSH client
In this case, only RSA encryption is available for the key type. The following example shows how to create keys.
-
Log in to the PFM - RM host.
-
Execute the ssh-keygen -t rsa command.
-
Determine the destination and name of the private key.
By default, %userprofile%\.ssh\id_rsa is set.
-
Press the Enter key twice.
When you are asked to enter a pass phrase for the private key, press the Enter key without entering anything. When re-entry is prompted, press the Enter key again without entering anything.
The following shows an example of ssh-keygen -t rsa command execution:
C:\work>ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\user-name\.ssh\id_rsa): <Enter> Enter passphrase (empty for no passphrase): <Enter> Enter same passphrase again: <Enter> Your identification has been saved in C:\Users\user-name\.ssh\id_rsa. Your public key has been saved in C:\Users\user-name\.ssh\id_rsa.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user-name@PFM-RM-host-name
(3) Placing the public key on the monitored hosts
Place the created public key on the monitored host. If there are multiple monitored hosts, distribute the key to all of them.
(a) Transferring the public key to the monitored host
Transfer the public key created at the PFM - RM host to the monitored host.
To transfer the public key:
-
Log on to the monitored host by using the value that was specified in User during monitoring target setup.
To use common account information, specify the value that is specified in User in common account information (ssh).
-
Execute the cd command to change the current directory to the .ssh directory under the home directory.
If the .ssh directory does not exist under the home directory, create it. For the .ssh directory attribute, specify 700 or 755. For the owner and group, specify the same as those specified for the user who was specified during the setup of the monitored host. If the attribute, owner, or group setting of the home directory or the .ssh directory is invalid, SSH connection might fail.
For details about how to specify directory attributes, see the documentation for the OS.
-
Start the command prompt at the PFM - RM host, and then execute the following command:
- When using PuTTY as the SSH client
Change the current directory to the folder in which PuTTY is installed, and then execute the pscp command provided by PuTTY.
The following is an example of command execution when a public key is located in the PuTTY installation directory:
C:\Program Files\PuTTY>pscp.exe agt7.pub ClientUser@TargetHost:.ssh ClientUser@TargetHost's password: password agt7.pub | 0 kB | 0.3 kB/s | ETA: 00:00:00 | 100%
If a message appears asking if a fingerprint should be registered, enter n.
- When using OpenSSH (supplied with Windows Server 2019) as the SSH client
The following is an example of command execution when a public key is located in the .ssh directory:
C:\Users\user-name\.ssh\>scp.exe id_rsa.pub ClientUser@TargetHost:.ssh The authenticity of host 'PFM-RM-host-name' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added xxx.xxx.xxx.xxx (ECDSA) to the list of known hosts. ClientUser@TargetHost's password:password agt7.pub 100% 404 0.4KB/s 00:00
(b) Registering the public key at the monitored host
To register the public key at the monitored host:
-
Log on to the monitored host by using the value that was specified in User during monitoring target setup.
To use common account information, specify the value that is specified in User in common account information (ssh).
-
Execute the cd command to change the current directory to the .ssh directory.
-
Execute the following command:
- When using PuTTY as the SSH client
Execute the ssh-keygen command with both the -i and -f options specified. When you execute the command, the public key you have created with PuTTY is converted into an authentication key file format that can be used with OpenSSH.
- When using OpenSSH (supplied with Windows Server 2019) as the SSH client
Execute the cat command with both the public key file and the authentication key file (a redirect destination) specified. After you execute the command, the content of the public key file is redirected to the authentication key file. Furthermore, the content of the received public key is added to the authentication key file.
-
Execute the rm command to delete the public key file received in (a) Transferring the public key to the monitored host.
-
Execute the chmod command to change the attribute of the authentication key file to 600.
An example of performing steps 2 through 5 follows:
- When using PuTTY as the SSH client
[ClientUser@TargetHost ~]$ cd .ssh [ClientUser@TargetHost .ssh]$ ssh-keygen -i -f agt7.pub >> authorized_keys [ClientUser@TargetHost .ssh]$ rm agt7.pub [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys
- When using OpenSSH (supplied with Windows Server 2019) as the SSH client
[ClientUser@TargetHost ]$ cd .ssh [ClientUser@TargetHost .ssh]$ cat id_rsa.pub >> authorized_keys [ClientUser@TargetHost .ssh]$ rm id_rsa.pub [ClientUser@TargetHost .ssh]$ chmod 600 authorized_keys
The name of the authentication key file is set by AuthorizedKeysFile of /etc/ssh/sshd_config. For HP-UX, it is /opt/ssh/etc/sshd_config.
By default, ~/.ssh/authorized_keys is set.
(4) Checking the connection and registering a fingerprint
To check whether the PFM - RM host and a monitored host can connect to each other:
-
Log on to the PFM - RM host by using the value that was specified in RMHost_User during instance environment setup.
To use common account information, log on to the PFM - RM host by using the value that is specified in User in common account information (pfmhost).
-
Start the command prompt.
-
Using the created private key, execute the following command on the monitored host to start the connection process:
- - When using PuTTY as the SSH client
-
plink command provided by PuTTY
- - When using OpenSSH (supplied with Windows Server 2019) as the SSH client
-
ssh command provided by OpenSSH
-
During the initial connection, register a fingerprint.
Register the fingerprint of the public key on the monitored host. Here, enter y. When you enter y, the monitored host's command prompt appears.
-
From the monitored host's prompt, execute the exit command to log out from the monitored host.
-
From the PFM - RM host, execute the following command on the monitored host to reconnect to it.
- - When using PuTTY as the SSH client
-
plink command provided by PuTTY
- - When using OpenSSH (supplied with Windows Server 2019) as the SSH client
-
ssh command provided by OpenSSH
If the monitored host's prompt appears in subsequent connections without you having to enter any information, setup of the connection between the PFM - RM host and the monitored host is completed. From the monitored host's command prompt, execute the exit command to log out from the monitored host.
If an error occurs or if you are asked to enter anything, check to see if you have correctly followed the procedure.
A setting example for checking connection follows:
- When using PuTTY as the SSH client
C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt7.ppk" -P 22 ClientUser@TargetHost The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y Using username "ClientUser". Last login: Wed Aug 4 13:29:55 2010 from xxx.xxx.xxx.xxx [ClientUser@TargetHost]$ exit logout C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt7.ppk" -P 22 ClientUser@TargetHost Using username "ClientUser". Last login: Wed Aug 4 13:30:00 2010 from xxx.xxx.xxx.xxx [ClientUser@TargetHost]$ exit logout C:\WINDOWS\system32>
- When using OpenSSH (supplied with Windows Server 2019) as the SSH client
C:\Users\user-name\.ssh>ssh -i "C:\Users\user-name\.ssh\id_rsa" -p 22 ClientUser@TargetHost The authenticity of host '[xxx.xxx.xxx.xxx]:22 ([xxx. xxx. xxx. xxx]:22)' can't be established. RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[xxx.xxx.xxx.xxx]:22' (RSA) to the list of known hosts. Last login: Wed Sep 25 09:08:14 2019 from xxx.xxx.xxx.xxx [ClientUser@TargetHost]$ exit logout C:\Users\user-name\.ssh>
- Notes:
-
-
PFM - RM for Platform assumes that fingerprint registration has already been completed. Because you can register a fingerprint during the initial SSH client connection, we recommend that you complete the procedure described here at that point.
-
If you change the user account specified for RMHost_User during the instance environment setup, you need to re-register a fingerprint. If you are using common account information, you also need to re-register a fingerprint when updating the value of User in common account information (pfmhost).
-
If you run PFM - RM for Platform in a cluster system, register a fingerprint on the standby node in the same way as on the executing node.
-
Confirm that a response is returned in less than 10 seconds when you execute a command such as uname on the monitored host from the PFM - RM host.
-
When you use OpenSSH (supplied with Windows Server 2019) as the SSH client, a connection attempt might fail if users other than those specified as RMHost_User in the instance setting have access to the private key file. In this case, select Properties - Security - Advanced in the private key file to delete the permissions of users other than those specified as RMHost_User.
-
For details about PFM - Manager startup, see the chapter that describes startup and termination of Performance Management in the JP1/Performance Management User's Guide.