Access Encryption Management Server using SSH

book

Article ID: 153592

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Encryption Management Server Powered by PGP Technology Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

To gain command line access to an Encryption Management Server you will need to connect using SSH with key based authentication.

One of the most popular open source SSH applications for Windows is PuTTY. In addition to the SSH application, it includes a command line SCP (Secure Copy Protocol) client for transferring files and an application for generating keys.

Windows 10 version 1803 and above and Windows Server 2019 and above include OpenSSH for Windows. It comprises a command line SSH and SCP utility as well as a command line utility for generating keys. This, therefore, is an alternative to PuTTY.

Note that if you regularly transfer files to Encryption Management Server, the open source WinSCP application is recommended. It is described in article 157406.

This article details how to use PuTTY or OpenSSH for Windows to connect to Encryption Management Server.

Accessing the server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line may void your Broadcom support agreement unless the following procedures are followed.


Any changes made to the server using the command line must be:

  • Authorized in writing by Broadcom Technical Support or published as an approved and documented process on the Broadcom Knowledge Base.
  • Implemented by a Broadcom Partner contractually, reseller or Broadcom Technical Support.
  • Summarized and documented in a text file in the /var/lib/ovid/customization directory on the Encryption Management Server itself.


Important Notes:
Installing third-party applications, or using customized scripts outside of written/contractual approvals/agreements is not supported.  Symantec Encryption Management Server is scanned for security and is considered a locked box.  As a result, SEMS is considered a secure device and making changes to the system could introduce security-related issues, therefore installing any third-party software is highly discouraged and is not supported. For more information on this topic, see article 206673.


Changes made through the command line may not persist through reboots and may be incompatible with future releases. Broadcom Technical Support may also require reverting any custom configurations on the server back to a default state when troubleshooting new issues.

Environment

Symantec Encryption Management Server 3.4 and above.

Resolution

If you make regular SSH connections to Encryption Management Server and/or connect to multiple servers, PuTTY is recommended because it is a Windows application and allows you to save your sessions.

If you rarely connect to Encryption Management Server and/or do not wish to install PuTTY, the OpenSSH for Windows command line utilities will fulfil your requirements.

Encryption Management Server only supports key based authentication using SSH so whichever method you use there is some intial work required to create a key pair and import the public key into Encryption Management Server.

Using PuTTY

The latest stable release of PuTTY can be downloaded from here. The installation package includes a Windows application called PuTTYgen for creating keys, the PuTTY SSH application itself and a command line SCP client called pscp that you may find useful for transferring files. There are 32-bit and 64-bit versions available.

Download PuTTY and install it in the normal way, accepting all the default settings.

Create an SSH key pair

  1. Open PuTTYgen.
  2. Confirm the Parameters (at the bottom of the PuTTY Key Generator window) for the type of key to generate. The defaults of RSA 2048 bits are suitable.
  3. Create a key pair by clicking on the Generate button in the Actions section. Generate some randomness for the key by moving the mouse over the blank area.
  4. After the key generation is complete, right click in the area called Public key for pasting into OpenSSH authorized_keys file and choose Select All, then right click and choose Copy to place the public key block on the clipboard.
  5. Open Notepad and paste the public key block into the new file and then save it. For example, save the file as ssh_key.pub.
  6. Optionally, in PuTTYgen enter a passphrase for the private key in the Key passsphrase field and confirm it in the Confirm passphrase field. You will be prompted for this passphrase each time you SSH to the Encryption Management Server.
  7. Click on the Save private key button to save the private key. PuTTYgen uses the *.ppk file extension for private keys. For example, save the file as ssh_key.ppk.

Import the public key into Encryption Management Server

  1. Log in as a user with SuperUser role permissions to the Encryption Management Server administration console.
  2. Click on System / Administrators and click on the name of an account with a role of SuperUser. Note that keys can only be added to users with the SuperUser role.
  3. Click the + button on the right of the SSHv2 Key field. This will open the Update SSH Public Key page.
  4. Click on the Choose file button and browse to the folder containing the public key file, then double click on the file to choose it. For example, the public key may be called ssh_key.pub.
  5. Click on the Import button to import the public key.
  6. Click Save to save the changes to the SuperUser account.

SSH to Encryption Management Server

  1. Open PuTTY.
  2. Enter the Encryption Management Server FQDN or IP address in the Host Name (or IP address) field. For example, keys.example.com.
  3. Confirm that the Port field is set to the default of 22 and the Connection type field is set to the default of SSH.
  4. Under the Category section on the left of the application window, expand SSH and click on Auth.
  5. Click on the Browse button and select the *.ppk private key file that you created using PuTTYgen. For example, ssh_key.ppk.
  6. Under the Category section on the left of the application window, click on Session.
  7. Enter a name for the connection in the Saved Sessions field and click the Save button to save the connection. For example, keys.
  8. Click the Open button to connect to Encryption Management Server.
  9. When prompted for the username, enter root.
  10. The first time you log in a security warning will appear. Click Yes to continue.
  11. If you saved the private key with a passphrase, you will be prompted for it.
  12. To quit your SSH session enter exit.
  13. To open a saved session in PuTTY, simply double click on the name of a saved session.

SCP files to and from Encryption Management Server

  1. Open a Command Prompt or Windows PowerShell.
  2. Download a file from Encryption Management Server using the pscp utility, passing the name of the private key as a parameter. For example, if the private key file is ssh_key.ppk located in your Documents folder, the server name is keys.example.com and you want to download a backup file called PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp located in the /var/lib/ovid/backups directory of Encryption Management Server to the Documents folder on your machine, the command would be as follows. Note the . character at the end of the command. This tells pscp to retain the source file name:
    pscp -i Documents\ssh_key.ppk [email protected]:/var/lib/ovid/backups/PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp Documents\.
  3. If you wanted to upload a file in your Documents folder called validate_enroll.sh.gz to the /var/lib/ovid/customization directory of Encryption Management Server, the command would be as follows:
    pscp -i Documents\ssh_key.ppk Documents\validate_enroll.sh.gz [email protected]:/var/lib/ovid/customization

Using OpenSSH for Windows

Create an SSH key pair

  1. Open a Command Prompt or Windows PowerShell.
  2. By default, you will be in the %USERPROFILE% directory. For example, C:\Users\firstname.lastname.
  3. Optionally, change directory to the location in which you wish to store the public and private keys. For example, if you wish to store the keys in your Documents folder, enter the following:
    cd documents
  4. Generate an OpenSSH format key pair on the client using the ssh-keygen utility. For example, to generate a private key called ssh_key and a public key called ssh_key.pub do the following. You will be prompted for a passphrase. You will be prompted for this passphrase each time you SSH to the Encryption Management Server. Press the Enter key if you do not wish to set a passphrase:
    ssh-keygen -t rsa -f ssh_key
  5. The utility will set permissions on the private key correctly so that only you have permission to access it. Therefore you may need to change the file's permissions if you move it to a new location.

Import the public key into Encryption Management Server

  1. Log in as a user with SuperUser role permissions to the Encryption Management Server administration console.
  2. Click on System / Administrators and click on the name of an account with a role of SuperUser. Note that keys can only be added to users with the SuperUser role.
  3. Click the + button on the right of the SSHv2 Key field. This will open the Update SSH Public Key page.
  4. Click on the Choose file button and browse to the folder containing the public key file, then double click on the file to choose it. For example, the public key may be called ssh_key.pub.
  5. Click on the Import button to import the public key.
  6. Click Save to save the changes to the SuperUser account.

SSH to Encryption Management Server

  1. Open a Command Prompt or Windows PowerShell.
  2. Open a secure shell in Encryption Management Server using the ssh utility, passing the name of the private key as a parameter. For example, if the private key file is ssh_key located in your Documents folder and the server name is keys.example.com, connect as follows. You will be prompted for a passphrase if your key has one:
    ssh -i Documents\ssh_key [email protected]
  3. The first time you log in a security warning will appear. Type Yes to continue.
  4. To quit your SSH session enter exit.

SCP files to and from Encryption Management Server

  1. Open a Command Prompt or Windows PowerShell.
  2. Download a file from Encryption Management Server using the scp utility, passing the name of the private key as a parameter. For example, if the private key file is ssh_key located in your Documents folder, the server name is keys.example.com and you want to download a backup file called PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp located in the /var/lib/ovid/backups directory of Encryption Management Server to the Documents folder on your machine, the command would be as follows. Note the . character at the end of the command. This tells scp to retain the source file name:
    scp -i Documents\ssh_key [email protected]:/var/lib/ovid/backups/PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp Documents\.
  3. If you wanted to upload a file in your Documents folder called validate_enroll.sh.gz to the /var/lib/ovid/customization directory of Encryption Management Server, the command would be as follows:
    scp -i Documents\ssh_key Documents\validate_enroll.sh.gz [email protected]:/var/lib/ovid/customization