Verifying the accuracy of keys that are automatically transferred
When establishing a management domain, either through the use of CSM or xCAT commands or the creation of IBM.MngNode and IBM.MCP resources, public keys are automatically exchanged between the management server and managed nodes.
Keys are exchanged by copying:
- the public key from each of the managed nodes to the management server.
- the management server's public key to each of the managed nodes.
If you are concerned about potential address and identity
spoofing in a management domain, you will need to verify that that
correct keys are copied. To do this:
- Log on to the node whose public key was copied.
- Execute the following command on that node:
This command writes a text version of the local node's public key value to the file /tmp/hostname_pk.sh. The contents of this file will consist of two lines of output, resembling the following:/opt/rsct/bin/ctskeygen -d > /tmp/hostname_pk.sh120400cc75f8e007a7a39414492329dcb5b390feacd2bbb81a7074c4edb696bcd8e15a5dda5 2499eb5b641e52dbceda2dccb8e8163f08070b5e3fc7e355319a84407ccbfc98252072ee1c0 381bdb23fb686d10c324352329ab0f38a78b437b235dd3d3c34e23bb976eb55a386619b70c5 dc9507796c9e2e8eb05cd33cebf7b2b27cf630103 (generation method: rsa1024) - Log on to the remote node where the key was transferred.
- Execute the /opt/rsct/bin/ctsthl -l command
and verify that the correct key has been added to the trusted host
list. The ctsthl command output should
list entries for the host name and IP address(es) of the node. An
example host entry from the trusted host list as it appears in the ctsthl command
output:
-------------------- Host name: avenger.pok.ibm.com Identifier Generation Method: rsa1024 Identifier Value: 120400cc75f8e007a7a39414492329dcb5b390feacd2bbb81a7074c4edb696bcd8 e15a5dda52499eb5b641e52dbceda2dccb8e8163f08070b5e3fc7e355319a84407 ccbfc98252072ee1c0381bdb23fb686d10c324352329ab0f38a78b437b235dd3d3 c34e23bb976eb55a386619b70c5dc9507796c9e2e8eb05cd33cebf7b2b27cf6301 03 -------------------- Host name: 199.100.100.4 Identifier Generation Method: rsa1024 Identifier Value: 120400cc75f8e007a7a39414492329dcb5b390feacd2bbb81a7074c4edb696bcd8 e15a5dda52499eb5b641e52dbceda2dccb8e8163f08070b5e3fc7e355319a84407 ccbfc98252072ee1c0381bdb23fb686d10c324352329ab0f38a78b437b235dd3d3 c34e23bb976eb55a386619b70c5dc9507796c9e2e8eb05cd33cebf7b2b27cf6301 03 -------------------- Host name: 9.117.198.45 Identifier Generation Method: rsa1024 Identifier Value: 120400cc75f8e007a7a39414492329dcb5b390feacd2bbb81a7074c4edb696bcd8 e15a5dda52499eb5b641e52dbceda2dccb8e8163f08070b5e3fc7e355319a84407 ccbfc98252072ee1c0381bdb23fb686d10c324352329ab0f38a78b437b235dd3d3 c34e23bb976eb55a386619b70c5dc9507796c9e2e8eb05cd33cebf7b2b27cf6301 03 --------------------