Network Management › Network Scan Policies › Create an SSH Key-based Network Scan Policy

Create an SSH Key-based Network Scan Policy

If you want to use SSH to access remote servers during network discovery, you can configure a CA Configuration Automation Network Scan Policy to use a public/private key pair to secure communications.

To generate the key pair files

1. Log on to a computer where SSH is installed, open a command window, and navigate to the ssh/bin directory.
2. Issue the following command to generate the public/private key pair:

   ssh-keygen -t rsa
   

   The following prompt appears:

   Generating public/private rsa key pair.
   Enter file in which to save the key (home/Administrator/.ssh/id_rsa):
   

3. Press Enter to accept the default names (id_rsa.pub and id_rsa).

   You are prompted to enter a passphrase:

   Enter passphrase (empty for no passphrase)
   

4. Enter a password (passphrase) or press enter to proceed without the password protecting the key pair.

   You are prompted to confirm the passphrase:

   Enter same passphrase again
   

5. Enter the password again, then press enter.

   The following confirmation appears:

   Your identification has been saved in /home/Administrator/.ssh/id_rsa
   Your public key has been saved in /home/Administrator/.ssh/id_rsa.pub
   The key fingerprint is:
   45:gd:b1:3e:c0:92:18:44:7b:e6:tc:d5:m1:6c
   

6. Copy the public and private keys (id_rsa.pub and id_rsa) to the NDG Server used by your CA Configuration Automation Server for discovery operations.

   You can copy the files to any folder.

7. Copy the public key (id_rsa.pub) to the computer that is the target of your discovery (that is, the server you want to discover and manage using CA Configuration Automation) using one of the following methods:
   • Use secure copy from the command line to add the id_rsa.pub key to the authorized_keys file, for example:

     scp id_rsa.pub root@targethost:~/.ssh/authorized_keys
     

   • If secure copy is not available, you must either FTP or copy the file to the target host and then manually append the contents of the id_rsa.pub key to the authorized_keys file.

   Note: The target server must have the SSH server software installed.

To create a Network Scan policy that uses the key pair files

1. Perform steps 1 through 6 as described in Create Network Scan Policies.

   The Discovery Options page appears.

2. Provide the following ports for the NDG to the scan ports explicitly:

   VMware Web Services Port

   Specifies the port to communicate with the VMware server.

   Default: 443

   Microsoft SCVMM Port

   Specifies the port to communicate with the Microsoft System Center Virtual Machine Manager (SCVMM) server

   Default: 8100

3. Click the Perform Soft Agent Probe check box, then specify the following discovery options and SSH parameters:

   Network Configuration

   Specifies whether to discover network configuration settings.

   Applications

   Specifies whether to discover application configuration settings.

   Virtual Environment

   Specifies whether to discover servers and configuration settings of virtualized environments.

   Hardware

   Specifies whether to discover hardware components.

   Network Connections

   Specifies whether to discover established network connections and open ports.

   Select the checkbox, then click the Port Mapping to include or exclude specific ports during a network discovery.

   Inclusions tab: In the left pane, double-click a mapped port to include it during a network scan.

   Exclusions tab: In the left pane, double-click a mapped port to exclude it during a network scan.

   SSH Port

   Specifies the port that is used for the SSH communications.

   Default: 22

   SSH Mode

   Species one of the following modes: SSH with Credentials or SSH with Key File and Credentials. Select SSH with Key File and Credentials.

   User Name

   Specifies the user name that is used for the key file authentication.

   Private Key File

   Specifies the location and private key file to use for the SSH authentication. Enter the path to the private key file (id_rsa) on the NDG Server used by your CA Configuration Automation Server (step 6 in the previous procedure).

   Public Key File

   Specifies the location of public key file to use for the SSH authentication. Enter the path to the public key file (id_rsa.pub) on the NDG Server used by your CA Configuration Automation Server (step 6 in the previous procedure).

   Passphrase

   Specifies an optional key file protection passphrase. This passphrase must be associated with the key files when they are created (step 4 in the previous procedure). Leave this field blank if you did not create a passphrase.

   If you click the Enable use of SSH Proxy check box, you can specify the following SSH Proxy options:

   Proxy Server

   Specifies the name or IP address of the proxy server.

   Proxy Port

   Specifies the listening port of the proxy server.

4. Click Finish.

   The policy is created and appears in the Network Scan Policies table.

5. Create a Network Discovery Profile that uses the new Network Scan Profile as described in Create Network Profiles.
6. Perform a Discovery of the target servers using the Network Profile.

   Softagent data about the target servers is discovered and available in CA Configuration Automation.