Installing new SSH key during migration
The SSH key that is associated with an SSH integration cannot be moved or copied to another deployment.
When you migrate from one deployment where you set up an SSH integration (for example, from an installation of IBM Netcool Operations Insight, or from a test installation of IBM Cloud Pak® for AIOps) to a new deployment (for example, to an installation of IBM Cloud Pak® for AIOps), then you must set up an SSH integration in the new deployment as well. This SSH integration creates its own SSH key.
Say you have installed the SSH key of the original deployment on some target systems. Now, you want to run the same SSH actions (that you migrated to the new deployment as part of the enclosing runbooks) against the same set of target systems again. You must first install the new SSH key to each of those target systems. One way of performing this administrative action is by using the sample runbooks as described in this topic.
The following procedure uses two fully automated runbooks that are delivered as sample runbooks:
- Example: Add new SSH key to target systems
- Example: Remove old SSH key from target systems
These sample runbooks have been added beginning with IBM Netcool Operations Insight 1.6.11 and IBM Cloud Pak® for AIOps 4.3.0. If the version of your original deployment does not yet contain these sample runbooks, you can import them to your original deployment. The original deployment must be at least at version IBM Netcool Operations Insight 1.6.6 or IBM Cloud Pak® for AIOps 3.5. For general instructions on exporting and importing runbooks, see Export and import runbooks.
- Copy each of the two sample runbooks into your own new runbooks in the new deployment.
- Export those copies of the sample runbooks from the new deployment.
- Edit the exported JSON files and remove the
tags
property from within theexportedAutomation
object. - Import the two runbooks into the original deployment.
Note:
- The scripts that are included in the actions within these runbooks require the
bash
shell to be installed on each of the target systems. If some of your target systems do not supportbash
then you need to create your own copy of the sample runbooks and their nested actions and adjust the scripts to run withsh
only. To do this, you must modify or remove the conditional statement that uses a regular expression to do a smoke test on the SSH key. - The scripts create a backup file of the authorized keys file that they are about to modify (for example,
authorized_keys.rbaBeforeAdd.bak
andauthorized_keys.rbaBeforeRemove.bak
). - The two sample runbooks support Linux target systems only. You can use them as blueprints to create your own variants for target systems that use Windows Powershell.
- The two sample runbooks must be published to be executable by using the API.
Part 1: Add the new SSH key to all target systems
To get familiar with the sample runbook "Example: Add new SSH key to target systems" or if you have only a few target systems, then you can run the sample runbook from the UI of the original deployment. Each of the runbook parameters includes a description of what to specify and which format to use.
If you have many targets, then you can use the following description to define a batch of up to about 100 target hostnames and invoke the runbook by using the runbook API to add the new SSH key to each of those targets.
You must perform this part by using the original deployment ("OLD_INSTALL
"), which has its SSH key that is already installed on all target systems. You can run the commands from any environment that has network access
to your original deployment.
-
If the original deployment is IBM Cloud Pak® for AIOps
-
Set the value of the
CURL_BASEURL_OLD_INSTALL
variable to the IBM Cloud Pak® for AIOps user interface URL and replace the path with "/aiops/api/story-manager/rba/v1
". The following example assumes that the URL is "https://cpd-cp4waiops.apps.mycluster.mycompany.com/zen/#/homepage
". -
To set the value of the
CURL_AUTH_TOKEN_OLD_INSTALL
variable you must have an API key created first. If you need to generate an API key, follow the instructions in Generating API keys for authentication. The<username>
in the command that follows is the user ID that you used to log in to the IBM Cloud Pak® for AIOps user interface when generating the API key. -
Use
CURL_OPTIONS_OLD_INSTALL
to specify any options that you need to use for the curl command itself. For example, use "-k
" to allow insecure SSL connections if you have not installed the deployment's certificate yet.export CURL_BASEURL_OLD_INSTALL="https://cpd-cp4waiops.apps.mycluster.mycompany.com/aiops/api/story-manager/rba/v1" export CURL_AUTH_TOKEN_OLD_INSTALL=`echo -n "<username>:<api_key_value>" | base64 -w 0` export CURL_AUTH_METHOD_OLD_INSTALL="ZenApiKey" export CURL_OPTIONS_OLD_INSTALL="-k"
-
-
If the original deployment is IBM Netcool Operations Insight
-
Set the value of the
CURL_BASEURL_OLD_INSTALL
variable to the hostname where the IBM Netcool Operations Insight service is running, prefix it with "https://
" and append "/api/v1/rba
". For example,https://netcool.apps.mycluster.mycompany.com/api/v1/rba
. -
To set the value of the
CURL_AUTH_TOKEN_OLD_INSTALL
variable you must have an API key created first. If you need to generate an API key, follow the instructions in API Keys. -
Use
CURL_OPTIONS_OLD_INSTALL
to specify any options that you need to use for the curl command itself. For example, use "-k
" to allow insecure SSL connections if you have not installed the deployment's certificate yet.export CURL_BASEURL_OLD_INSTALL="https://netcool.apps.mycluster.mycompany.com/api/v1/rba" export CURL_AUTH_TOKEN_OLD_INSTALL=`echo -n "<api_key_name>:<api_key_password>" | base64 -w 0` export CURL_AUTH_METHOD_OLD_INSTALL="Basic" export CURL_OPTIONS_OLD_INSTALL="-k"
-
-
Common for all deployment types
Run the following command to verify the base URL and the authentication token:
curl -X GET ${CURL_OPTIONS_OLD_INSTALL} -H "Authorization: ${CURL_AUTH_METHOD_OLD_INSTALL} ${CURL_AUTH_TOKEN_OLD_INSTALL}" "${CURL_BASEURL_OLD_INSTALL}/status"
The previous command is expected to produce some informational data about the speed of the transfer and some JSON result data similar to the following:
{"rbs":0,"as":0,"db":0,"connection":{"AWX":0,"IMPACT":2,"SCRIPT":0,"GITHUB":0},"errors":[],"warnings":[]}
Note: Some of the connection items might have a different value than "0", and the "errors" array within the JSON result data might be nonempty (if the connection is in a failed state) - this is not a problem in this context.
The values for the following set of variables must be defined as outlined here:
RUNBOOK_ID_ADD_SSH_KEY
: The runbook ID of the sample runbook Example: Add new SSH key to target systems in the original deployment.PARAM_TARGET_HOSTNAMES
: A stringified array of hostnames, which defines the batch of target systems to be updated in this iteration.PARAM_TARGET_USER
: The user id to be used on the target system. This user id is the same for all target systems in the batch. If different user ids need to be used, then the batches of target hostnames need to be split accordingly.PARAM_AUTHORIZED_KEYS_FILE_PATH
: The relative path to the authorized keys file within the target user's home directory, or an absolute path. You can use an arbitrary file name to test the tooling (but the file needs to exist on the target). Defaults to ".ssh/authorized_keys".PARAM_NEW_SSH_KEY
: The complete SSH key as copied from the SSH integration of the new deployment.PARAM_OPTIONS
: Optional options for the SSH key. Must conform to the SSH specification (not validated by the tooling). Make sure to escape double quotes (see example below).PARAM_COMMENT
: The comment to be saved along withPARAM_NEW_SSH_KEY
in theauthorized_keys
file on the target systems. Must conform to the SSH specification (not validated by the tooling). Defaults to "RunbookAutomation".PARAM_VERBOSE
: Set this totrue
to create verbose output for each of the editing actions on the target systems. Set this tofalse
to just get asuccessful
orfailed
result for the editing actions on the target systems.PARAMETER_ADD_FILE_PATH
: Name of the temporary file that gets generated to contain the parameters in JSON format.
For example:
export RUNBOOK_ID_ADD_SSH_KEY="2f2ba8ee-4ee6-4a36-b213-2be5ec65249f" export PARAM_RAW_TARGETS="doesnotexist1.myzone.mycompany.com" export PARAM_RAW_TARGETS=${PARAM_RAW_TARGETS}`for i in {2..100}; do echo -n ",doesnotexist${i}.myzone.mycompany.com"; done` export PARAM_TARGET_HOSTNAMES="[${PARAM_RAW_TARGETS}]" export PARAM_TARGET_USER="root" export PARAM_AUTHORIZED_KEYS_FILE_PATH=".ssh/authorized_keys_test" export PARAM_NEW_SSH_KEY="ssh-rsa testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest" export PARAM_OPTIONS="from=\\\"my,list,of,addresses\\\"" export PARAM_COMMENT="RunbookAutomation@myCluster.myzone.mycompany.com" export PARAM_VERBOSE="true" export PARAMETER_ADD_FILE_PATH=parametersAddSSHKey.json echo "{\"parameters\":[{\"name\":\"targetHostnames\",\"value\":\"${PARAM_TARGET_HOSTNAMES}\"},{\"name\":\"targetUser\",\"value\":\"${PARAM_TARGET_USER}\"},{\"name\":\"authorizedKeysFilePath\",\"value\":\"${PARAM_AUTHORIZED_KEYS_FILE_PATH}\"},{\"name\":\"newSSHKey\",\"value\":\"${PARAM_NEW_SSH_KEY}\"},{\"name\":\"options\",\"value\":\"${PARAM_OPTIONS}\"},{\"name\":\"comment\",\"value\":\"${PARAM_COMMENT}\"},{\"name\":\"verbose\",\"value\":\"${PARAM_VERBOSE}\"}]}" > $PARAMETER_ADD_FILE_PATH
Run the following command to add the new SSH key to the single batch of target systems, as defined above:
curl -X POST ${CURL_OPTIONS_OLD_INSTALL} -s -H "Authorization: ${CURL_AUTH_METHOD_OLD_INSTALL} ${CURL_AUTH_TOKEN_OLD_INSTALL}" -H "Expect:" -H "Content-Type: application/json; charset=utf-8" -d @${PARAMETER_ADD_FILE_PATH} "${CURL_BASEURL_OLD_INSTALL}/runbooks/${RUNBOOK_ID_ADD_SSH_KEY}/execute"
The output on the command line is expected to show the returned runbook instance ID and look similar to the following:
{"runbookInstanceId":"0d8787ba91b123c7cf2cbd890800be73"}
Login to the UI of the original deployment and navigate to the runbook activity that has been created. The output in runbook activity details is expected to look similar to the following:
# Successful, with verbose output: exists.with.ssh.key.myzone.mycompany.com out: Changed content in .ssh/authorized_keys_test (diff from backup file): exists.with.ssh.key.myzone.mycompany.com out: 0a1 exists.with.ssh.key.myzone.mycompany.com out: > from="my,list,of,addresses" ssh-rsa testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest RunbookAutomation@myCluster.myzone.mycompany.com exists.with.ssh.key.myzone.mycompany.com out: Done exists.with.ssh.key.myzone.mycompany.com status: successful # Successful, with non-verbose output: exists.with.ssh.key.myzone.mycompany.com status: successful # Unsuccessful, reason: file PARAM_AUTHORIZED_KEYS_FILE_PATH does not exist: exists.but.ssh.key.file.does.not.exist.myzone.mycompany.com out: Error: File .ssh/authorized_keys_test does not exist. exists.but.ssh.key.file.does.not.exist.myzone.mycompany.com status: unsuccessful # Failed, reason: old SSH key does not exist on target system exists.but.ssh.key.not.installed.myzone.mycompany.com error: Authentication with target machine failed exists.but.ssh.key.not.installed.myzone.mycompany.com status: failed # Failed, reason: target system not found doesnotexist1.myzone.mycompany.com error: Connection to target via TCP unsuccessful. doesnotexist1.myzone.mycompany.com status: failed
If you have more than about 100 targets and you want to get all of your targets updated, then you must split your total list of targets into batches, and run the runbook for each batch. If you choose to write a script that loops over the set of batches, make sure to add some sleep time after you have started a batch, so the Runbook Automation service can finish the work in the background. Once you have run a few batches, you can review the actual execution time for each of them in the runbook activities view, so you can adjust the sleep time (for example, allow 30 seconds per batch).
Part 2: (Optional) Validate the new SSH key and remove the old SSH key from all target systems
You must perform this part by using the new deployment, which by now (as per part 1) has its SSH key installed on all target systems. The following steps can also be used to verify that the new key works.
Warning: Run the following steps only when the original deployment is no longer intended to run any actions on the target systems.
To get familiar with the sample runbook "Example: Remove old SSH key from target systems" or if you have only a few target systems, then you can run the sample runbook from the UI of the new deployment. Each of the runbook parameters includes a description of what to specify and which format to use.
If you want to use the runbook API to invoke the runbook, then you can run the following commands from any environment that has network access to your new deployment ("NEW_INSTALL
").
The same comments on creating batches of target systems from part 1 apply to this part.
-
The values for the following set of variables must be defined as outlined here:
CURL_BASEURL_NEW_INSTALL
: Set analogously toCURL_BASEURL_OLD_INSTALL
from part 1.CURL_AUTH_TOKEN_NEW_INSTALL
: Set analogously toCURL_AUTH_TOKEN_OLD_INSTALL
from part 1.CURL_AUTH_METHOD_NEW_INSTALL
: Set analogously toCURL_AUTH_METHOD_OLD_INSTALL
from part 1.CURL_OPTIONS_NEW_INSTALL
: Set analogously toCURL_OPTIONS_OLD_INSTALL
from part 1.RUNBOOK_ID_REMOVE_SSH_KEY
: The runbook ID of the sample runbook Example: Remove old SSH key from target systems in the new deployment.PARAM_TARGET_HOSTNAMES
: See part 1.PARAM_TARGET_USER
: See part 1.PARAM_AUTHORIZED_KEYS_FILE_PATH
: See part 1.PARAM_OLD_SSH_KEY
: The complete SSH key as copied from the SSH integration of the old deployment.PARAM_VERBOSE
: See part 1.PARAMETER_REMOVE_FILE_PATH
: Name of the temporary file that gets generated to contain the parameters in JSON format.
For example:
# If new deployment is an IBM Cloud Pak for AIOps installation export CURL_BASEURL_NEW_INSTALL="https://cpd-cp4waiops.apps.mycluster.mycompany.com/aiops/api/story-manager/rba/v1" export CURL_AUTH_TOKEN_NEW_INSTALL=`echo -n "<username>:<api_key_value>" | base64 -w 0` export CURL_AUTH_METHOD_NEW_INSTALL="ZenApiKey" export CURL_OPTIONS_NEW_INSTALL="-k" # If new deployment is an IBM Netcool Operations Insight installation export CURL_BASEURL_NEW_INSTALL="https://netcool.apps.mycluster.mycompany.com/api/v1/rba" export CURL_AUTH_TOKEN_NEW_INSTALL=`echo -n "<username>:<api_key_value>" | base64 -w 0` export CURL_AUTH_METHOD_NEW_INSTALL="Basic" export CURL_OPTIONS_NEW_INSTALL="-k" # Verify that the new installation can be reached curl -X GET ${CURL_OPTIONS_NEW_INSTALL} -H "Authorization: ${CURL_AUTH_METHOD_NEW_INSTALL} ${CURL_AUTH_TOKEN_NEW_INSTALL}" "${CURL_BASEURL_NEW_INSTALL}/status" # Set other environment variables export RUNBOOK_ID_REMOVE_SSH_KEY="50fc56e5-55a9-429d-8c1e-7f0c59f0557f" export PARAM_RAW_TARGETS="doesnotexist1.myzone.mycompany.com" export PARAM_RAW_TARGETS=${PARAM_RAW_TARGETS}`for i in {2..100}; do echo -n ",doesnotexist${i}.myzone.mycompany.com"; done` export PARAM_TARGET_HOSTNAMES="[${PARAM_RAW_TARGETS}]" export PARAM_TARGET_USER="root" export PARAM_AUTHORIZED_KEYS_FILE_PATH=".ssh/authorized_keys_test" export PARAM_OLD_SSH_KEY="ssh-rsa testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest" export PARAM_VERBOSE="true" # Create the parameter file export PARAMETER_REMOVE_FILE_PATH=parametersRemoveSSHKey.json echo "{\"parameters\":[{\"name\":\"targetHostnames\",\"value\":\"${PARAM_TARGET_HOSTNAMES}\"},{\"name\":\"targetUser\",\"value\":\"${PARAM_TARGET_USER}\"},{\"name\":\"authorizedKeysFilePath\",\"value\":\"${PARAM_AUTHORIZED_KEYS_FILE_PATH}\"},{\"name\":\"oldSSHKey\",\"value\":\"${PARAM_OLD_SSH_KEY}\"},{\"name\":\"verbose\",\"value\":\"${PARAM_VERBOSE}\"}]}" > $PARAMETER_REMOVE_FILE_PATH
-
Run the following command to remove the old SSH key from the single batch of target systems, as defined above:
curl -X POST ${CURL_OPTIONS_NEW_INSTALL} -s -H "Authorization: ${CURL_AUTH_METHOD_NEW_INSTALL} ${CURL_AUTH_TOKEN_NEW_INSTALL}" -H "Expect:" -H "Content-Type: application/json; charset=utf-8" -d @${PARAMETER_REMOVE_FILE_PATH} "${CURL_BASEURL_NEW_INSTALL}/runbooks/${RUNBOOK_ID_REMOVE_SSH_KEY}/execute"