Adding an SSH key

Edit online

You can add an SSH key to provide credentials for Linux-based and AIX-based resources on virtual machines managed by vCenter and Hyper-V, as well as Oracle, Db2, MongoDB, and SAP HANA application servers. SSH keys help to provide a secure connection between IBM Storage® Protect Plus and target resources for file indexing and restore operations.

Before you begin

  • The SSH service must be running on port 22 on the server and any firewalls must be configured to allow IBM Storage Protect Plus to connect to the server using SSH. The SFTP subsystem for SSH must also be enabled.
  • The user account on the target resource that is used to generate the SSH key pair must have sudo privileges. This account, which will be assigned to IBM Storage Protect Plus, is known as the IBM Storage Protect Plus user agent (sppagent).
  • If the environment includes virtual machines managed by vCenter, ensure that the latest VMware Tools are installed.

Procedure

To add a key, complete the following steps:
  1. On the target resource, generate an SSH key by using the ssh-keygen command with the user account that will be assigned to IBM Storage Protect Plus. This account must have sudo privileges. For example, on an Oracle server, enter the following command in the terminal and follow the instructions: 
    ssh-keygen
    If you use the default settings, two files are created in the specified directory: id_rsa.pub is the public key and id_rsa is the private key. The private key must be in PEM format. It may be necessary to explicitly use the -m PEM argument with ssh-keygen when generating the key pair.
  2. When prompted enter the file name in which the key will be saved, enter a directory and file name. If you do not specify a directory and file name, the default is used:
    /home/priveleged_user/.ssh/id_rsa
    where priveleged_user is the account assigned to IBM Storage Protect Plus, sppagent. If a key with the default name already exists, this will be indicated with the message displayed below. Be careful not to overwrite preexisting keys if they are in use. Press N to enter a different file in which to save the key. 
    /home/<priveleged user>/.ssh/id_rsa already exists.
Overwrite (y/n)?
    This procedure is based on the assumption that the key is saved in the default location using the default file name (id_rsa). If the key file is created using a different file name, use that file name in the steps that follow.
  3. Supply a passphrase and press Enter. Otherwise, simply press Enter for no passphrase.
  4. If a passphrase was supplied, enter it again. Press Enter.
  5. Copy the contents of the id_rsa.pub key into the authorized_keys file. If the file already exists, append the public key to the authorized_keys file.
    cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  6. Assign the required privileges to the authorized_keys file by issuing the chmod 600 command.
    chmod 600 ~/.ssh/authorized_keys
  7. Edit the /etc/ssh/sshd_config file to set the PubkeyAuthentication setting to yes by using a text editor. To ensure that the setting is not commented out, remove the number sign (#) if it appears at the beginning of the line.
    sudo vi /etc/ssh/sshd_config
    ...
PubkeyAuthentication yes
...
  8. Restart the SSH service on the target resource.
    systemctl restart sshd
  9. In the IBM Storage Protect Plus navigation panel, click System Configuration > Keys and Certificates.
  10. From the SSH Keys section, click Add SSH Key.
  11. Complete the fields in the SSH Key Properties pane:

    Name

    Enter a meaningful name to identify the SSH key.

    User

    Enter the user account that is associated with the target resource and SSH key. This is the user account used to generate the public and private keys in the previous steps.

    Encrypted

    Check this box if a passphrase was supplied when generating the public and private key.

    Passphrase

    This box is only displayed if the Encrypted check box is selected. If a passphrase was supplied when generating the public and private key, provide the passphrase in this box.

    Private key

    Copy and paste the private key into this box. This will be the key contained in the id_rsa file on the target resource. The file is similar to the following example:

    cat ~/.ssh/id_rsa
    -----BEGIN OPENSSH PRIVATE KEY-----
ZRYtuinjaHx2mKgW4LnfqzlyAIIq5Amasi/J8/AAAFiFiP4GZYj+BmAAAAB3NzaC1yc2
...
...
Q5ZqZ1Ec8N7dsAAAANdG9vckBVYnVudHVWQgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
  12. Click Save.
    The key is displayed in the SSH Keys table and can be selected when you use a feature that requires credentials to access a resource with the Key option.