Question & Answer
Question
How does one go about setting up a SSH key file and distribute it to remote hosts within the restricted shell environment of the Power Hardware Management Console (HMC)?
Cause
One of they newer features in HMC v8 is the ability to backup the HMC using SFTP referencing a key file rather than specifying password. Using a key file can be useful in setting up scheduled operations without having to specify the user's password. Since the HMC has a restricted shell environment the typical methods of doing SSH key generation and distribution have to be altered to work within the limitations of the shell environment.
Answer
The initial thing that needs to be done before backing up the HMC can be accomplished using SFTP and a key file is to generate the SSH keys using the ssh-keygen command. Once the key is generated then its needs to be distributed to the remote SFTP server. The following example shows how this can be done within the constraints of the tools available within the HMC's restricted user environment.
Start off by logging into the HMC command line interface (CLI) with your user ID. In the case of this example the user logged in is MyUser.
1. Run ssh-keygen
Ran ssh-keygen and designated /home/MyUser as the directory to generate rsa public and private key files in. The default path ssh-keygen would have used was /home/MyUser/.ssh and since that directory was owned by root on the HMC it was not ideal for working with the ssh key files in this case. That is why specifying the absolute path is important when working on the HMC CLI.
2. Checked to see if the key files were written to my home directory.
ls -la
-rw------- 1 MyUser hmc 1679 Jun 21 20:34 id_rsa
-rw-r--r-- 1 MyUser hmc 400 Jun 21 20:34 id_rsa.pub
3. Copied the public key file over to my SFTP server called in this example mySFTPserver.mydomain.com.
scp id_rsa.pub MyUser@mySFTPserver.mydomain.com:.ssh/id_rsa.pub.MyHMC
NOTE: the remote SFTP server, mySFTPserver, is where I wanted to use the default ssh key file path ($HOME/.ssh). I had access to the directory and files on mySFTPserver.
4. The next step was to update the authorized keys files on the SFTP server with my public key. The following commands were run on mySFTPserver.mydomain.com with my user ID MyUser.
cat id_rsa.pub.MyHMC >> authorized_keys
rm id_rsa.pub.MyHMC
cat authorized_keys
5. The test would need to use the actual backup application the SSH keys were created for and that is by either running the HMC backup from a GUI task wizard or using the CLI command bkconsdata. The example here is for bkconsdata, but the GUI task for Backup HMC data could also be used.
bkconsdata -r sftp -h mySFTPserver.mydomain.com -u MyUser -k /home/MyUser/id_rsa
6. Since a HMC backup takes a long time to run, it was neccary to wait a sufficient amount of time to check on its progress. The check was done by reviewing the console event log. The lssvcevents it the CLI method used in this example, but the console log does have a GUI related task view options if you are more comfortable using that method. Only the lssvcevents example is shown here.
lssvcevents -t console -d 0 | grep -i back
time=06/23/2017 16:30:49,text=The following operation completed: Backup Critical Console Data. It was scheduled by HMC(MyUser) from MyHMC on Fri Jun 23 15:29:42 UTC 2017.
<em>Schedulable Description:</em> <b>Backup Critical Console Data</b> <br/>
<em>Schedulable Class:</em> com.ibm.hmc.ui.console.schedops.schedulables.BackupCritDataPSchedulable <br/>
time=06/23/2017 15:31:00,text=The following operation started: Backup Critical Console Data. It was scheduled by HMC(MyUser) from MyHMC on Fri Jun 23 15:29:42 UTC 2017.
The output above showed that my backup using the ssh key file worked and it took my HMC approximately an hour to complete the task. I could also check the SFTP server to make sure the file copied over to it as expected.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1025553