How to use ssh key enabled authentication with CA Identity Manager (IM)?

book

Article ID: 196345

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Portal CA Identity Suite

Issue/Introduction

How to use ssh key enabled authentication with CA Identity Manager (IM)?

When using ssh (secure shell) errors are returned:

Warning: Identity file /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/imadmin_key not accessible: Permission denied.
spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no localhost
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.


Environment

Release : 14.x

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

How to use Key-based Authentication

The CA Identity Manager (IM) offers some details on how to "Enable Key-Based Authentication to a Remote SSH Server", but the documentation lacks context.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-3/virtual-appliance/administering-virtual-appliance.html

In the context of CA Identity Manager "Key-based authentication" is designed to work through Policy Xpress gaining access via the wildfly user.  If you try to execute the commands directly at the OS Level, you will receive a "permission denied" error. 

To use "Key-Based Authentication to a Remote SSH Server", a key pair needs to be created and exported to the remote machine.

To generate a public key follow the steps below:

1. wildfly-ssh-keymgr --Generate config_key
2. wildfly-ssh-keymgr --list
3. wildfly-ssh-keymgr --export config_key

For Linux (Confirmed):

Copy the public key (config_key.pub) to the remote Linux machine and add the public key to the root/.ssh/authorized_keys directory.

For Windows (Unconfirmed):

Copy the public key (config_key.pub) to the remote Windows machine and add the public key to the C:/Users/YourUserName/.ssh/ directory.


Although the commands need to be instigated from Policy Express (PX), they must be run from a ssh script.

For example, create a new file (test_ssh), with the following code syntax:
ssh -o StrictHostKeyChecking=no -i /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/<key name> [email protected]<host> "<command>"

i.e.:
ssh -o StrictHostKeyChecking=no -i /opt/CA/VirtualAppliance/conf/wildfly-ssh-keys/imadmin_key [email protected] "mkdir /root/NewFolder"

 

Create a Px Policy in CA Identity Manager (IM) with the following action rules:

Category = External Code
Type = Execute Command Line
Function = Execute Command Line

Command: /home/config/test_ssh

 

Outcomes:

When executed this triggers the PxPolicy which then creates the "newFolder" on my remote machine.