You set up SSH File Transfer Protocol for use by the network discovery service.
Before you begin
SFTP is available on most Linux system out-of-the-box and can be readily configured.
Prerequisite for collectors:
- Configuring SFTP in an OCP installation
- As part of the collectors feature of the network discovery service, a Secure File Transfer
Protocol (SFTP) server is required for using the Alcatel5620Sam Collector. If you do not want to use
this collector, you do not need an SFTP server.
- On OCP, no SFTP server is supplied. You must install your own SFTP server, and then configure
network discovery to use it. The SFTP server can be inside or outside the OCP cluster.
- To configure network discovery collectors to use your SFTP server, issue the following
command:
oc create secret generic ${releaseName}-sftp-secret --from-literal=host=${IP} --from-literal=port=${PORT} --from-literal=username=${USERNAME} --from-literal=password=${PASSWORD} --from-literal=directory=${DIRECTORY}
Where:
- Secret Name
- The name of the secret is the release name of the Agile Service Manager installation, followed
by
sftp-secret
.
- IP
- IP is the SFTP server IP address or hostname, which should be reachable from the OCP cluster.
- PORT
- PORT is the SFTP server port number.
- USERNAME
- USERNAME is the SFTP server user name to use to connect to the SFTP server from the collector.
- PASSWORD
- PASSWORD is the SFTP server password to use to connect to the SFTP server from the collector.
- DIRECTORY
- DIRECTORY is the location where the collector looks for the files.
-
Note: Restart the Network Discovery Collector pods to enable the changes. If you change the SFTP
details in the future, you must re-create the SFTP secret and restart the Network Discovery
Collector pods each time.
- Configure EMS certificates
- To enable https connection between Network Discovery Collectors and the EMS, issue the following command:
oc create configmap ${releaseName}-net-disco-ems-ca-certs --from-file /temp/collector-ems-certs/
Where:
- Configmap Name
- The name of
configmap
is the release name of the Agile Service Manager
installation, followed by net-disco-ems-ca-certs
- /temp/collector-ems-certs/
- The folder that contains all EMS certificates (the filename extension of the certificate should
be
.crt
).
-
Note: Restart the Network Discovery Collector pods to enable the changes. If you change the
certificates in the future, you must reconfigure the EMS certificates and restart the Network
Discovery Collector pods each time.
About this task
SFTP is required to connect to an EMS during a collector discovery.
Procedure
SFTP server setup
-
Create a user on the desired server.
The user and password in the following examples here are
'benedict'.
[root@server ~]# useradd benedict
[root@server ~]# passwd benedict
Client setup
-
From the client environment, copy the ssh key of the newly created user
[home@client ~]$ ssh-copy-id benedict@server
-
Verify the ssh connection by logging into the machine.
[home@client ~]$ ssh benedict@server
[benedict@server ~]$ exit
logout
Connection to server closed
-
Verify the sftp connection.
[home@client ~]$ sftp benedict@server
Connected to server
sftp> quit
SFTP server setup
-
After verifying both the sftp and ssh connections, return to the same server and create a new
group to manage the chroot users.
[root@server ~]# groupadd sftpusers
-
Create a common directory for the chroot users.
[root@server ~]# mkdir /sftp
-
Create a subdirectory for each individual user.
[root@server ~]# mkdir /sftp/benedict
-
Create the 'home' directory for the user.
[root@server ~]# mkdir /sftp/benedict/home
-
Modify the user to add them to the user group.
[root@server ~]# usermod -aG sftpusers benedict
-
Change permission for the user's chrooted 'home' directory only.
[root@server ~]# chown benedict:sftpusers /sftp/benedict/home/
-
Modify the /etc/ssh/sshd_config to include the following lines towards the
end of the file:
Match Group sftpusers
ForceCommand internal-sftp -d /home
ChrootDirectory /sftp/%u
-
Restart the sshd service.
[root@server ~]# systemctl restart sshd
Client verification
-
Verify that the ssh connection no longer works.
[home@client ~]$ ssh benedict@server
This service allows sftp connections only.
Connection to server closed.
-
Verify that sftp access is still valid.
[home@client ~]$ sftp benedict@server
Connected to server.
sftp> pwd
Remote working directory: /home
sftp> cd /root
Couldn't stat remote file: No such file or directory
-
Make sure that a regular user can still log in via ssh without issues.