Previous Topic: Create the Destination Directory and File for the Public KeyNext Topic: Ensuring Efficient Processing of Host Group References

Administer Host GroupsHost Group Implementation ProcessCreate a Trust Relationship to a Remote Host Referenced by a Host Group

Create a Trust Relationship to a Remote Host Referenced by a Host Group

A remote host is a host that a host group references. The host group is configured on a host with an agent; the remote host typically has no agent. Targeting a remote host requires that a process operator has SSH connectivity between an agent host and the referenced remote host.

Establish an SSH connection with one of the following methods:

When you create a user account and a trust relationship, the product uses the trust relationship as the backup mechanism. If the authentication fails for the configured credentials, the product authenticates with the key pair.

Generate a key pair with the SSH-keygen program. Save the private key to the configured SSH Keys Path, and then copy the public key to each remote host that the host group references. Put the public key file where the SSH daemon can find it. The OpenSSH daemon, sshd, looks for the key in /home/user_name/.ssh/authorized_keys.

You can create a trust relationship to a remote host that a host group references.

Follow these steps:

  1. Log in to the host that contains the agent where the host group is defined.
  2. Open a command prompt and change directories to a path from which to generate the key pair.

    For example, if you downloaded OpenSSH on a Windows system, change to the C:\Program Files\OpenSSH\bin directory that contains the ssh-keygen program.

  3. Generate a key pair with the following command: 
    ssh-keygen -t dsa -b 1024 -f user_name
    user_name

    Defines the value that you configured as Remote User Name in the Host Group.

    The following message and prompt are displayed:

    Generating the public/private dsa key pair.

    Enter passphrase <empty for no passphrase>:
  4. Enter the value that you configured as Remote Password in the Host Group. This value is required.

    The following prompt is displayed:

    Enter same passphrase again:
  5. Enter the Remote Password value again.

    The following messages are displayed:

    Your identification has been saved in user_name.

    Your public key file has been saved in user_name.pub.

    The key fingerprint is:

    fingerprint_string login_name@host_name

    The product creates the private key file named user_name and the public key file named user_name.pub. The passphrase for the key file is the same as the password on the user account that is used for SSH access.

  6. Move the private key file named user_name to the location that is configured as SSH Keys Path in the host group. For example:
  7. Transfer the public key file (user_name.pub) to each host that the host group references and put it where the SSH daemon can find it.

    Different SSH daemons follow different conventions. Examine the ssh-keygen options for public key file formatting requirements.

  8. For OpenSSH, append the public key from user_name.pub to the file that contains all authorized keys that the host uses. The OpenSSH SSH daemon (sshd) searches the authorized_keys file. The authorized_keys file must be in the .ssh directory in the home directory path.
    1. Run the following command on each host that the host group references: 
      cat user_name.pub >> home/user_name/.ssh/authorized_keys
    2. Switch users to root and restart the ssh service: 
      su root

      service sshd restart
  9. Verify that access is established. Log in to the host with the agent and ssh to the remote host. If the login succeeds, the trust relationship is established. Enter the following command from the agent host: 
    ssh user_name@remote_host

More information:

Host Group Implementation Process

CA Process Automation-Specific Requirements for SSH Connectivity