Configure private key authentication with secure shell

This section provides information on how to configure private key authentication with secure shell (SSH).

Prerequisites

Before you configure private key authentication, make sure the following:

  • SSH is installed.

  • The SSH server is configured for private key authorization.

  • The ssh-keygen utility is part of the Cygwin installation. (To get this utility, you must enable the Open SSH components during Cygwin installation.)

  • Verify that the PPM user account can be used to log on to the remote host through the SSH session.

  • Add the RSA certificate information of the remote host to the ssh known_hosts file, which is located in the <PPM_Home> directory.

Back to top

Configure private key authentication

Follow the steps below to configure private key authentication with SSH.

Step 1: Add the RSA certificate of the remote SSH host to the PPM Server SSH known_hosts file.

  1. Log on to the PPM Server as the PPM user.

  2. From the command line, run the following:

    ssh <User_ID>@<Remote_Host>

    The first time you run this command, you are prompted to indicate whether you want to continue.

  3. Type yes.
  4. Terminate the SSH connection with the remote host.

Step 2: Set up private key authentication with SSH

  1. Generate the private/public key pair on the PPM Server.

  2. Add the generated public key to the remote SSH Authorized_Key file.
  3. Configure the PPM Server.

The following sections provide the steps required to perform each of these tasks.

Step 3: Generate the private and public keys

To generate the private/public key pair on the PPM Server:

  1. Log on to the PPM Server machine as the PPM user.

  2. Change directory to the home directory defined for the PPM user on the operating system.

  3. Run the following SSH utility:

    ssh-keygen -t rsa -b 1024, or

    ssh-keygen -t ecdsa if you use the FIPS compliant encryption.

    Note: PPM does not support the DSA key type.

    Do not provide the "passphrase".

  4. Press Enter twice.

  5. Verify that the <PPM_Home>/<PPM_User>/.ssh directory now contains the following files:

    • id_rsa or id_ecdsa(the private key), and

    • id_rsa.pub or id_ecdsa.pub (the public key)

Tip: If you use OpenSSH 7.8 or later versions, you may receive the "invalid privatekey" exception. This is because OpenSSH 7.8 and later versions generate the keys in the new OpenSSH format (starts with BEGIN OPENSSH PRIVATE KEY), which is not supported by JSch. In this case, you can use ssh-keygen to convert the keys to the legacy OpenSSH format (ssh-keygen -t ECDSA -m PEM ).

Step 4: Add the public key to the SSH authorized_keys file on the remote host

To append the public key to the remote SSH authorized_keys file (remote hosts):

  1. Transfer the id_rsa.pub or id_ecdsa.pub file to the remote SSH host machine, in the /<PPM_User_Home_Directory>/.ssh directory as ppm_id_rsa.pub or ppm_id_ecdsa.pub.

    Note: On the remote UNIX host, the .ssh directory is in the /home/<PPM_User>/ directory. On Windows, the location depends on the user home directory defined during Cygwin installation.

  2. Log on to the remote host with the user ID that the PPM Server is to use to connect.

  3. Change directory to the <PPM_Home>/<User_ID>/.ssh directory and locate the authorized_keys file.

    Note: If the authorized_keys file does not exist, create it.

  4. Append the contents of the itg_id_rsa.pub or itg_id_ecdsa.pub file to the authorized_keys file, by running the command:

    cat ppm_id_rsa.pub > authorized_keys, or

    cat ppm_id_ecdsa.pub > authorized_keys if you use the the FIPS compliant encryption.

  5. Repeat these steps on the PPM Server to enable public key authentication from the PPM Server back to itself.

Step 5: Reconfigure the PPM Server

  1. Open the server.conf file in a text editor.

  2. Add the following server directive to the file.

    com.kintana.core.server.SSH_PRIVATE_IDENTITY_FILE=/<PPM_Home>/<PPM_User>/.ssh/id_rsa
  3. Change to the <PPM_Home>/bin directory.

  4. To update the required startup files, run the kUpdateHtml.sh script.

  5. Restart the PPM Server.

Step 6: Verify server configuration

  1. Open a command-line window outside of the PPM Server.

  2. Log on to the PPM Server machine as the PPM user, as follows.

    ssh <User_ID>@<Remote_Host>

    Note: You should not be prompted for the password. It should log on to the remote host using the RSA key file.

  3. On the PPM Server, log on to PPM.

  4. From the menu bar, select Administration > Open Workbench.

    The PPM Workbench opens.

  5. From the shortcut bar, select Environments > Environments.

    The Environment Workbench page opens.

  6. Click New Environment.

    The Environment: Untitled window opens.

  7. In the Environment Name field, type the name of the remote host.

  8. In the Server section, do the following:

    1. In the Name field, type the remote server name.

    2. In the Type list, select the operating system type on the remote server.

    3. In the Username field, type the user ID you provided in step 2.

    4. In the Password field, click the Password () button.

      The Enter or Change Password dialog box opens.

      Note: The PPM Workbench requires that you provide a password, regardless of whether the authentication uses RSA.

      If authentication with RSA fails, the password you provide here will be used instead to connect to the remote host.

    5. In the Enter New Password and Confirm New Password fields, type the password for the user ID you provided in step 2.

    6. Click OK.

    7. In the Base Path field, type the base path.

    8. In the Connection Protocol list, select SSH2.

    9. In the Transfer Protocol list, select Secure Copy 2.

  9. Clear the Enable Client and Enable Database checkboxes.

    Note: The user name specifies the user ID to be used to log on to the destination SSH server. The Environment Checker requires the password. Package line uses the public key file for authentication.

  10. Click Save.

  11. At the bottom left of the window, click Check.

    The Check Environment window opens.

  12. In the left pane, expand the Server folder, and then click SSH2 Server.

  13. Click Check.

    In the left pane, an icon to the left of the selected server indicates whether the check succeeded or failed. The right pane displays the details.

Back to top