Implementation Guide › Configuring Services › Configuring the Event Log Store › Example: Configure Non-Interactive Authentication for Hub and Spoke

Example: Configure Non-Interactive Authentication for Hub and Spoke

The existence of non-interactive authentication between two servers is a prerequisite for auto archiving from the source to the destination server. A common scenario for configuring non-interactive authentication is one where multiple source servers dedicated to collection have a common destination server dedicated to reporting/management. This example assumes a mid-sized CA User Activity Reporting Module federation with one reporting/management server (hub), four collection servers (spokes), and a remote storage server. Names for servers in each server role follow:

• CA User Activity Reporting Module Reporting/management server: ELM-RPT
• CA User Activity Reporting Module Collection servers: ELM-C1, ELM-C2, ELM-C3, ELM-C4
• Remote storage server: RSS.

The procedures for enabling non-interactive authentication for CA User Activity Reporting Module federation follow:

1. From the first collection server, generate an RSA key pair as caelmservice and copy the public key as authorized_keys to the /tmp directory on the destination reporting server.
2. From each additional collection server, if any, generate an RSA key pair and copy the public key as authorized_keys_n, where n uniquely identifies the source.
3. From the /tmp directory of the reporting server, concatenate the contents of these public key files to the original authorized_keys. Create an .ssh directory and change directory ownership to caelmservice, move authorized_keys to the .ssh directory, and set the key file ownership and required permissions.
4. Verify that non-interactive authentication exists between each collection server and the reporting server.
5. From the remote storage server, create a directory structure for the .ssh directory, where the default is /opt/CA/LogManager. Create an .ssh directory on the destination, change ownership to caelmservice.
6. From the reporting server, generate an RSA key pair as caelmservice and copy the public key as authorized_keys to the /tmp directory on the destination remote storage server.
7. From the remote storage server, move authorized_keys from /tmp to the .ssh directory and set the key file ownership to caelmservice with the required permissions.
8. Verify that non-interactive authentication exists between the reporting server and the remote storage server.

More information:

Configure Keys for First Collection-Reporting Pair

Configure Keys for Additional Collection-Reporting Pairs

Create a Single Public Key File on the Reporting Server and Set File Ownership

Validate Non-Interactive Authentication Between Collection and Reporting Servers

Create a Directory Structure with Ownerships on the Remote Storage Server

Configure Keys for the Reporting-Remote Storage Pair

Set Key File Ownership on the Remote Storage Server

Validate Non-Interactive Authentication Between Reporting and Storage Servers