Preparing the Keys

Generate the public-private key pair that will be used to authenticate communication from the Master Server to the Local Distributors and the Remote Agents. Then, copy the generated keys to the Local Distributors and Remote Agents. Choose the appropriate task to complete based on whether you are using the ssh-agent or empty password keys.

The following instructions describe how to create keys with the default key lengths. For maximum security, create keys with the longest possible key lengths.

How to Generate Key Pairs

If you are using the ssh-agent, you only need to generate one key pair. If you are using empty passwords, you may generate a key pair for each SSH connection that the software makes between two machines. Alternatively, you may generate one single key pair for use by all the connections. Complete this task for each key pair that you want to generate.

Before You Begin

Ensure that the user ID and group ID that you are using for the Sun N1 Service Provisioning System 5.2 are the same on all of the servers in the network.

Steps

1. On the Master Server, or if you are using empty passwords and are generating key pairs for each connection, on the machine that is upstream, generate the keys.

   % ssh-keygen –t rsa

   The server prompts you to save the keys.

2. Save the keys in the default locations by pressing Return.

   The private key is saved in /User-home/.ssh/id_rsa. The public key is saved in /HOME/.ssh/id_rsa.pub.

   User-home is the home directory of the currently logged in user on the Master Server machine.

   The server prompts you for a password.

3. Determine whether you need to supply a password.

   • If you are using empty password keys, do not supply a password. Press Return to continue.

   • If you are using the ssh-agent, supply a password for the keys.

How to Set Up Keys for the ssh-agent

If you are using the ssh-agent, complete this task to copy the keys to the Local Distributors and Remote Agents.

Steps

1. On the Master Server, copy the private key file, ~/.ssh/id_rsa, to a secure media.

   % cp /User-home/.ssh/id_rsa path_to_file/

   User-home is the home directory of the currently logged in user on the Master Server machine. path_to_file/ is the path to the secure media where you want to save the private key file.

2. Delete the private key file from the local file system.

   % rm /User-home/.ssh/id_rsa

3. Copy the public key to each Local Distributor and Remote Agent that you want to set up to use SSH. Save the key in the ~/.ssh/authorized_keys2 file.

   % cp /User-home.ssh/id_rsa.pub /User-home-APP/.ssh/authorized_keys2

   User-home is the home directory on the Master Server machine. User-home-APP is the home directory of the currently logged in user on the Local Distributor or the Remote Agent machine.

4. Ensure that the .ssh/ directory and any parent directories are not world writable.

5. Change the permissions for the .ssh/authorized_keys2 file to 600.

6. Edit the following line in the config.properties files on the Master Server and the Local Distributors to enable ssh-agent forwarding.

   Current configuration:

   net.ssh.args=-o|BatchMode yes

   Edit the line to include the -A option:

   net.ssh.args=-o|BatchMode yes|-A

How to Set Up Keys for Empty Password Files When Using One Key Pair

If you are using empty password files and you generated only one key pair, complete this task to copy the keys to the Local Distributors and Remote Agents.

Steps

1. From the Master Server, copy the private key to each machine that is upstream. Save the key in the home directory.

   % cp /User-home/.ssh/id_rsa /User-home-upstream/.ssh/id_rsa

   User-home is the home directory of the currently logged in user on the Master Server machine. User-home-upstream is the home directory on the machine that is upstream. The upstream machine is the machine that initiates the SSH connection with the machine that is downstream.

   Each Local Distributor can have a unique private key, or you can use the same private key for all Local Distributors.

2. Copy the public key to each machine that is downstream. Save the key in the /.ssh/authorized_keys2 file.

   % cp /HOME-MS/.ssh/id_rsa.pub /HOME-downstream/.ssh/authorized_keys2

   User-home is the home directory on the Master Server machine. User-home-downstream is the home directory on the Local Distributor or the Remote Agent machine to which the machine that you set up in the previous step will connect. Copy the public key to all Local Distributors and Remote Agents that connect using SSH.

3. Ensure that the .ssh/ directory and any parent directories are not world writable.

4. Ensure that the private key file, .ssh/id_rsa, is not accessible by other users or groups.

5. Change the permissions for the .ssh/authorized_keys2 file to 600.

How to Set Up Keys for Empty Password Files When Using Multiple Key Pairs

If you are using empty password files and you generated a key pair for each SSH connection, complete this task to copy the keys to the Local Distributors and Remote Agents.

Before You Begin

Complete this task for every SSH connection, therefore every key pair, that is made on the network.

Steps

1. From the machine that is upstream, copy the public key to each machine that is downstream. Save the key in the User-home/.ssh/authorized_keys2 file.

   % cp /User-home-upstream/.ssh/id_rsa.pub /User-home-downstream/.ssh/authorized_keys2

   User-home-upstream is the home directory on the machine that is upstream. Use-home-downstream is the home directory on the Local Distributor or the Remote Agent machine to which the upstream machine will connect.

2. Ensure that the .ssh/ directory and any parent directories are not world writable.

3. Ensure that the private key file, .ssh/id_rsa, is not accessible by other users or groups.

4. Change the permissions for the .ssh/authorized_keys2 file to 600.