Creating a certificate for SSH protocol

Before you install the Storage Resource agents by using the SSH protocol, you can optionally create a certificate.

Note: The Storage Resource agent only supports either DES-EDE3-CBC encryption or no encryption for the private key used in SSH protocol communication between the server and agent. The default encryption that is used in the ssh-keygen command on UNIX is always DES-EDE3-CBC. However, with Windows Cygwin, the ssh-keygen command generates a key with AES-128-CBC encryption if a passphrase is specified. If there is no passphrase, the private key is generated without encryption. For more information about encryption, see https://www.openssl.org/docs/man1.0.2/apps/enc.html.

Creating a certificate for SSH protocol (non-Windows)

The Storage Resource agent only supports either DES-EDE3-CBC encryption or no encryption for the private key used in SSH protocol communication between the server and agent. The default encryption used in the ssh-keygen command on UNIX is always DES-EDE3-CBC but with Windows Cygwin, it is using AES-128-CBC encryption if a passphrase is specified. If there is no passphrase, the private key is generated without encryption.

To create a certificate for SSH protocol, complete the following steps:

  1. Telnet to the remote machine using the root user ID.
  2. To create an SSH certificate on AIX®, you must first install the following packages (if not already installed):
    openssl.base.openssh.base.client  
    openssh.base.server 
  3. Go to the directory where you want to create the certificate:
    cd ~/.ssh 
  4. Enter ssh-keygen -t rsa. Accept the default names (for example, id_rsa).
  5. Enter the passphrase.
  6. Two files are created:
    id_rsa
    The private key.
    id_rsa.pub
    The public key.
  7. Create an authorized_key file in the same location as id_rsa.pub by entering the following command:
    cat id_rsa.pub >> authorized_keys
  8. Copy the id_rsa (private key) to your server machine. For example, to copy the id_rsa file to :\keys\id_rsa on the IBM Spectrum Control server (user responses are in boldface type):
    # ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (//.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    You identification has been save in //.ssh/id_rsa.
    Your public key has been save in //.ssh/id_rsa.pub.
    The key fingerprint is:
    xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@server
    # cat id_rsa >> authorized_keys
    # ls -l
    total 24
    -rw-r–r–  1  root  system  1743 Oct 15 09:40 authorized_keys
    -rw--–    1  root  system  1743 Oct 15 09:39 id_rsa
    -rw-r–r–  1  root  system   399 Oct 15 09:39 id_rsa.pub
    #  
    
    Note: You must copy the file in binary mode.
  9. To connect to the remote system by using the private key, enter the following information in the Remote Agent Machines window of the GUI, when you install the Storage Resource agent:
    • User
    • Certificate Location (c:\keys\id_rsa)
    • Passphrase

Setting up an SSH daemon on Windows

On Windows you must run the ssh-host-config command.

Note: Cygwin is not a prerequisite for the Storage Resource agent on Windows. To use the SSH protocol on Windows, an SSH software program must be used because Windows does not come with an SSH service. Cygwin is a free software program providing SSH access to a Windows server. Cygwin can be used if you want to run the Storage Resource agent by using the SSH protocol.

You must be in a Cygwin window or be an X term user to create the sshd service. In most cases, you click the cygwin.bat file to start the Bash shell.

Complete the following steps:
  1. Install Cygwin.
  2. Set up your sshd service in Cygwin.
  3. Create the certificate.
Installing Cygwin
To install Cygwin, go to http://cygwin.com. This page contains a link that displays help for the setup program and a link to download the setup program. Read the help before running the setup program. Then download the Cygwin program by clicking the Install Cygwin now link. Start the setup program on your computer by running the setup.exe program. Select the appropriate download option (Install from Internet, Download from Internet, or Install from Local Directory ) as described in the help files.

If you are upgrading from an older version of Cygwin to a newer version, you need to remove the sshd service before installing the new version of Cygwin.

Accept the default installation options as they are presented to you (Root Directory, Install For, Default Text File Type, and so on). Select a download mirror that is geographically close to your location. Some sites require an FTP account before you can install Cygwin. You can either request an account or simply select another mirror.

During the installation process, a Select Packages list is displayed. Expand the plus sign (+) next to the Admin category and select cygrunsrv and the Bin check box. Expand the plus sign (+) next to the Net category and select openssh. Expand the plus sign (+) next to the Util category and select diffutils. Click Next to resume the setup program. The time required to download the packages depends on how busy the mirror is, and on the speed of your internet connection. With openssh and cygrunsrv, the downloaded files require approximately 70 MB of disk space. Allow 20 minutes to 30 minutes for the download and installation to complete.

Setting up your sshd service in Cygwin
Here is an example of the sequence of steps and responses. The responses to the prompts are in boldfaced type.
  1. Run the ssh-host-config command.
    Note: With Cygwin, you might experience permission problems when running the ssh-host-config command. If you have permission problems, run these commands:
    chmod +r /etc/passwd
    chmod +r /etc/group
    chmod 777 /var
    
    $ ssh-host-config
    
    *** Info: Generating missing SSH host keys
    *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
    *** Info: Creating default /etc/ssh_config file
    *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
    *** Info: Creating default /etc/sshd_config file
    
    *** Info: StrictModes is set to 'yes' by default.
    *** Info: This is the recommended setting, but it requires that the POSIX
    *** Info: permissions of the user's home directory, the user's .ssh
    *** Info: directory, and the user's ssh key files are tight so that
    *** Info: only the user has write permissions.
    *** Info: On the other hand, StrictModes don't work well with default
    *** Info: Windows permissions of a home directory mounted with the
    *** Info: 'noacl' option, and they don't work at all if the home
    *** Info: directory is on a FAT or FAT32 partition.
    *** Query: Should StrictModes be used? (yes/no) no
    *** Info: Updating /etc/sshd_config file
    
    *** Query: Do you want to install sshd as a service?
    *** Query: (Say "no" if it is already installed as a service) (yes/no) yes
    *** Query: Enter the value of CYGWIN for the daemon: [] ntsec
    *** Info: On Windows Server 2003, Windows Vista, and above, the
    *** Info: SYSTEM account cannot setuid to other users -- a capability
    *** Info: sshd requires.  You need to have or to create a privileged
    *** Info: account.  This script will help you do so.
    
    *** Info: It's not possible to use the LocalSystem account for services
    *** Info: that can change the user id without an explicit password
    *** Info: (such as passwordless logins [e.g. public key authentication]
    *** Info: via sshd) when having to create the user token from scratch.
    *** Info: For more information on this requirement, see
    *** Info: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1
    
    *** Info: If you want to enable that functionality, it's required to create
    *** Info: a new account with special privileges (unless such an account
    *** Info: already exists). This account is then used to run these special
    *** Info: servers.
    
    *** Info: Note that creating a new user requires that the current account
    *** Info: have Administrator privileges itself.
    
    *** Info: No privileged account could be found.
    
    *** Info: This script plans to use 'cyg_server'.
    *** Info: 'cyg_server' will only be used by registered services.
    *** Query: Do you want to use a different name? (yes/no) no
    *** Query: Create new privileged user account 'local_address\cyg_server' 
    *** Query: (Cygwin name: 'cyg_server')? (yes/no) yes
    *** Info: Please enter a password for new user cyg_server.  Please be sure
    *** Info: that this password matches the password rules given on your system.
    *** Info: Entering no password will exit the configuration.
    *** Query: Please enter the password:password
    *** Query: Reenter:password
    
    *** Info: User 'cyg_server' has been created with password 'password'.
    *** Info: If you change the password, please remember also to change the
    *** Info: password for the installed services which use (or will soon use)
    *** Info: the 'cyg_server' account.
    
    
    *** Info: The sshd service has been installed under the 'cyg_server'
    *** Info: account.  To start the service now, call `net start sshd' or
    *** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
    *** Info: after the next reboot.
    
    *** Info: Host configuration finished. Have fun!
  2. Start the sshd service:
    1. Open a command prompt window.
    2. Enter net start sshd or in a Bash prompt, enter cygrunsrv -S sshd.
    3. Verify that the daemon is running.
    4. Enter ps -a. Examine the output to see if /usr/sbin/sshd is contained in the list of running processes.

    To stop the service from a Windows command prompt, enter net stop sshd. Alternatively, you can change to the C:\cygwin\bin directory (or open a Bash shell) and enter cygrunsrv -E sshd.

  3. When you have started the sshd service, test it by entering the following command from a Bash shell prompt:
    ssh localhost 
       or
    ssh host_name 
    If localhost does not work, use the short host name. If you receive a message indicating that the authenticity of localhost cannot be established, answer Yes to the question "Are you sure you want to continue connecting?" When prompted for your account password on localhost, enter the password you use when logging in to the computer.
  4. Set the TEMP environment variable. For information about setting the environment variable, see http://www.cygwin.com/cygwin-ug-net/setup-env.html.
    Here is an example of setting the environment variable:
    1. Click My Computer > Properties > Advanced > Environment Variables.
    2. Under System variables, find out the value of TEMP. For example, "C:\WINNT\TEMP"
    3. Set the TEMP environment variable to point to the Cygwin format of TEMP in the ~/.bashrc file. For example run the following command:
      export TEMP=/cygdrive/c/WINNT/temp
      Uncomment and modify this line in the ~/.bashrc file from the default:
      # export TEMP=/tmp
      to
      export TEMP=/cygdrive/c/WINNT/temp

The Cygwin sshd service must be added as a service that starts automatically. To verify this step, click Start > Settings > Control Panel > Administrative Tools > Services. Look for CYGWIN sshd in the name list. Verify that it is started and configured to start automatically.

Creating the certificate
To create a certificate for SSH protocol, complete the following steps:
  1. Run this command:
    cd ~/.ssh
  2. Generate the public and private keys with a passphrase. The passphrase is required.

    From the Bash shell prompt, here is an example of the input and output (user responses are in boldface type):
    
    
    Administrator ~/.ssh
    $ openssl genrsa -des3 -out key 1024
    Generating RSA private key, 1024 bit long modulus
    ..........................................++++++
    .........................................................................++++++
    e is 65537 (0x10001)
    Enter pass phrase for key:passphrase
    Verifying - Enter pass phrase for key:passphrase
    
    Administrator ~/.ssh
    $ chmod 600 ~/.ssh/key
    $ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/Administrator/.ssh/id_rsa): key_pairs
    Enter passphrase (empty for no passphrase):passphrase
    Enter same passphrase again:passphrase
    Your identification has been saved in key_pairs.
    Your public key has been saved in key_pairs.pub.
    The key fingerprint is:
    SHA256:ew0Octa24Qw917tRqPcn9hETlRakksKcTgGrPkh4UZs Sheila@IBM243-PC0CJ5EF
    The key's randomart image is:
    +---[RSA 2048]----+
    |     . ...    .o+|
    |    . o + o . .o.|
    |   . E . * o ... |
    |  . . . oo. .. ..|
    | . o .. S.B . oo.|
    |  o o  + O B . oo|
    |   . o  . * o +. |
    |      .  .   .o+o|
    |             ..o+|
    +----[SHA256]-----+
    Administrator ~/.ssh
    $ cat id_rsa.pub >> authorized_keys
    $
  3. Copy the id_rsa (private key) to the IBM Spectrum Control server.
  4. To connect to the remote system by using the private key, enter the following information in the GUI, when you install the Storage Resource agent:
    • User
    • Certificate Location (c:\keys\id_rsa)
    • Passphrase