How to use ssh key enabled authentication with CA Identity Manager (IM)?
When using ssh (secure shell) errors are returned:
Warning: Identity file /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/imadmin_key not accessible: Permission denied.
spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no localhost
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
Release : 14.x
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
How to use Key-based Authentication
The CA Identity Manager (IM) offers some details on how to "Enable Key-Based Authentication to a Remote SSH Server", but the documentation lacks context.
In the context of CA Identity Manager "Key-based authentication" is designed to work through Policy Xpress gaining access via the wildfly user. If you try to execute the commands directly at the OS Level, you will receive a "permission denied" error.
To use "Key-Based Authentication to a Remote SSH Server", a key pair needs to be created and exported to the remote machine.
To generate a public key follow the steps below:
1. wildfly-ssh-keymgr --Generate config_key
2. wildfly-ssh-keymgr --list
3. wildfly-ssh-keymgr --export config_key
For Linux (Confirmed):
Copy the public key (config_key.pub) to the remote Linux machine and add the public key to the root/.ssh/authorized_keys directory.
For Windows (Unconfirmed):
Copy the public key (config_key.pub) to the remote Windows machine and add the public key to the C:/Users/YourUserName/.ssh/ directory.
Although the commands need to be instigated from Policy Express (PX), they must be run from a ssh script.
For example, create a new file (test_ssh), with the following code syntax:
ssh -o StrictHostKeyChecking=no -i /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/<key name> [email protected]<host> "<command>"
i.e.:
ssh -o StrictHostKeyChecking=no -i /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/imadmin_key [email protected] "mkdir /root/NewFolder"
Create a Px Policy in CA Identity Manager (IM) with the following action rules:
Category = External Code
Type = Execute Command Line
Function = Execute Command Line
Command: /home/config/test_ssh
Outcomes:
When executed this triggers the PxPolicy which then creates the "newFolder" on my remote machine.