Connector GuidesConnectors GuideConnecting to EndpointsKerberos ConnectorKerberos Installation and DeploymentInstall and Deploy the Connector › How to Set Up SSH Permissions for the Kerberos Connector

Previous Topic: Pre-requisite Knowledge Required to Set Up SSH Permissions

Next Topic: Generate an RSA Key Pair Using ssh-keygen

How to Set Up SSH Permissions for the Kerberos Connector

The CA Identity Manager 12.5 SP8 Connector uses SSH to execute the kadmin command remotely. Set up SSH permissions on the SSH server under any of the scenarios described in When to Configure the Kerberos Connector to Use SSH. To use the Kerberos Connector, configure the Kerberos connector to use SSH.

  1. On the SSH Server host, do the following:
    1. Create the account that used by the connector to log in to the SSH Server host.

      Note: You can create an account using the Solaris utility useradd.

    2. Verify that the account has a password and that the account has a home directory.
  2. Enable the SSH service on the SSH server.
  3. Set up the key pair and authorized keys file, and permissions for accessing and running kadmin on the SSH server. Do one of the following, depending on where your Java CS host is located:
    1. If you are planning to use the connector on a Java CS host that is on Solaris 10 that is not a member of the realm, generate an RSA key pair using ssh-keygen on the JCS host.
    2. If you are planning to use the connector on a JCS host that is on Windows or Linux that is not a member of the realm, generate an RSA key pair using puttygen on the Java CS host.

    Note: In both scenarios described in step a and step b, the private key must be in the JCS host, and the public key in the SSH Server host.

  4. Set up SSH user permissions on the SSH Server.
  5. Verify that kadmin is visible in the SSH environment.
  6. If you are upgrading to CA Identity Manager to SP8 or later, and you have existing KRB endpoints and you plan to move the Java CS from Solaris to a Windows, Linux, or a Solaris host that is not a member of the realm, do the following additional steps:
    1. Use Connector Xpress to set the managing Java CS to the new Java CS host.

      Note: For more information about setting the managing Java CS, see the Connector Xpress User Guide.

    2. Use the etautil utility to assign values to the SSH attributes.
    3. Use the CA Identity Manager Management Console to import the new role definition file for the Kerberos connector.

      The new Role Definition file is version 2.0.

      Note: For more information about importing the role definition file, see Import Role and Task Settings into CA Identity Manager in the Connector Xpress Guide.

    4. Acquire the Kerberos endpoint.