Enabling SSH key pairs for data archive, data export, data mart

You can use SSH key pairs for authentication, instead of passwords, for archiving and exporting results, archiving data, and exporting data marts.

About this task

The Guardium system generates SSH keys specific to the type of transfer (archive, export, data mart), and propagates them to remote hosts that support SCP connections. At the central manager level, you can generate SSH keys across the deployment and propagate them to remote hosts. The remote host gets a copy of the public-transfer-key, and the Guardium appliance retains the private part of the SSH key pair, allowing the data transfer without a password.

The two directories that contain the SSH key details (/opt/IBM/Guardium/etc/ssh/ssh-keys/tomcat/ and /opt/IBM/Guardium/etc/ssh/ssh-keys/transfer/) are backed up into the CONFIG backup file when you run the CLI command backup system. When you restore with the CLI command restore backup, the files from these two directories are restored into the current appliance. The restore process does not overwrite any existing files in the current appliance that are newer (last modified timestamp).

Procedure

  1. Log in to the Guardium system CLI as admin. . 
    cli
  2. Enable the feature. 
    store system scp-ssh-key-mode on
  3. Verify that the feature is enabled. 
    show system scp-ssh-key-mode
    The response is scp-ssh-key-mode is enabled
  4. Create the SSH key pair, which can be used for data transfer, entering the following command on the Central Manager. 
    grdapi generate_transfer_key api_target_host=all
  5. Verify that the key was made and display the public portion of the key, by entering the following command on the Managed Unit. 
    show system public-transfer-key
  6. Install the public part of the SSH key on the remote host and users account for data transfer, by using one of these methods:
    • Copy the public part of the key and add it into the .ssh/authorized_keys of the user on the remote host.
    • Run the command following command. 
      export-public-transfer-key
      . 
      ...>export-public-transfer-key
This operation will force a new set of ssh keys onto the remote host specified. The keys will be put into the .ssh/authorized_keys file of the user specified. Do you want to continue? (y/n)y 
Continuing ...
Please enter a valid host which will adopt the public transfer-key.
10.12.12.45
Please enter a valid user for the host.
admin
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/opt/IBM/Guardium/etc/ssh/ssh-keys/transfer/id_rsa.pub"
    • grdapi export_transfer_key
      • On the central manager, copy the unique public-transfer-key of each managed unit to the remote host by running the following command.
        grdapi export_transfer_key host="remote_host_1" user="user1" password="password" api_target_host=all
      • On a managed unit, copy the specific, unique, public-transfer-key of the managed unit to the remote host by running the following command.
        grdapi export_transfer_key host="remote_host_1" user="user1" password="password"
    The key is imported, and you can run data archive, data export, and system backup to the remote host and user without needing a password.

What to do next

It is good practice, and required in many environments, to periodically refresh the keys.
  1. In the CLI, run the following command to refresh the keys.
    system public-transfer-key regenerate
  2. Delete the old keys from one or more remote hosts by running the following command.
    system public-transfer-key delete
  3. Import the new keys into the host as described in step 6.

To archive and export results, archive data, and export data marts, see Transferring data to a remote host by using SSH key pairs for authentication.