Enabling SSH key pairs for data archive, data export, data mart

You can use SSH key pairs for authentication, instead of passwords, for archiving and exporting results, archiving data, and exporting data marts.

About this task

The Guardium system generates SSH keys specific to the type of transfer (archive, export, data mart), and propagates them to remote hosts that support SCP connections. At the central manager level, you can generate SSH keys across the deployment and propagate them to remote hosts. The remote host gets a copy of the public-transfer-key, and the Guardium appliance retains the private part of the SSH key pair, allowing the data transfer without a password.

The two directories that contain the SSH key details (/opt/IBM/Guardium/etc/ssh/ssh-keys/tomcat/ and /opt/IBM/Guardium/etc/ssh/ssh-keys/transfer/) are backed up into the CONFIG backup file when you run the CLI command backup system. When you restore with the CLI command restore backup, the files from these two directories are restored into the current appliance. The restore process does not overwrite any existing files in the current appliance that are newer (last modified timestamp).


  1. Log in to the Guardium system CLI as admin cli.
  2. Enable the feature by entering store system scp-ssh-key-mode on
  3. Verify that the feature is enabled by entering show system scp-ssh-key-mode.
    The response is scp-ssh-key-mode is enabled
  4. Create the SSH key pair, which can be used for data transfer, by entering
    store system public-transfer-key create.
    (Alternatively, use the API command grdapi generate_transfer_key.)
  5. Verify that the key was made and display the public portion of the key, by entering
    show system public-transfer-key
  6. Install the public part of the SSH key on the remote host and users account for data transfer, by using one of these methods:
    • Copy the public part of the key and add it into the .ssh/authorized_keys of the user on the remote host.
    • Run the command export-public-transfer-key.
      This operation will force a new set of ssh keys onto the remote host specified. The keys will be put into the .ssh/authorized_keys file of the user specified. Do you want to continue? (y/n)y 
      Continuing ...
      Please enter a valid host which will adopt the public transfer-key.
      Please enter a valid user for the host.
      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/opt/IBM/Guardium/etc/ssh/ssh-keys/transfer/id_rsa.pub"
    • grdapi export_transfer_key
      • On the central manager, copy the unique public-transfer-key of each managed unit to the remote host, by entering:
        grdapi export_transfer_key host="remote_host_1" user="user1" password="password" api_target_host=all
      • On a managed unit, copy the specific, unique, public-transfer-key of the managed unit to the remote host, by entering:
        grdapi export_transfer_key host="remote_host_1" user="user1" password="password"
    The key is imported, and you can run data archive, data export, and system backup to the remote host and user without needing a password.

What to do next

It is good practice, and required in many environments, to periodically refresh the keys.
  1. In the CLI, run the command system public-transfer-key regenerate to refresh the keys.
  2. Delete the old keys from one or more remote hosts by entering system public-transfer-key delete.
  3. Import the new keys into the host as described in step 6.

To archive and export results, archive data, and export data marts, see Transferring data to a remote host by using SSH key pairs for authentication.