Configure key pair authentication for GBDI file extraction

By default, Guardium® uses a password for GBDI file extraction. Use this procedure to configure a key pair authentication instead of a password. You upload the file to the central manager, and from there distribute it to the relevant managed units.

About this task

Upload the key file to the central manager if you want to distribute it to managed units. You can upload it to an individual managed unit, but cannot distribute it from there to other managed units. When you upload the file to the Guardium system, it is deleted from the file server.

Procedure

  1. Upload the key to the file server.
  2. On the central manager, upload the key file to all managed units with the GuardAPI command copy_key_file, for example:
    grdapi copy_key_file fileName="/opt/IBM/Guardium/log/key-file" all="true"
    The central manager copies (by SCP) the key file to all managed units, copies the file to the central manager, and deletes it from the file server. At the end it returns a list of all managed units with the status of the grdapi execution for each. If a unit is down, its status is failed.
  3. For GBDI using data marts: Update the copy_file details with the GuardAPI command datamart_update_copy_file_info, for example:
    grdapi datamart_update_copy_file_info destinationHost=<server name> destinationPassword="file:key-file" destinationPath=<path> destinationUser=<user> Name="<datamart name>" transferMethod="SCP"
  4. If distribution to a managed unit failed, upload the key to the file server on this unit and run the GuardAPI command copy_key_file on that unit.
    grdapi copy_key_file fileName="<keyFile.key>"
  5. To install a new key file, repeat steps 1, 2, and 3.

Results

The key file is used for file transfer, instead of a password.