Add a Key

Some features in ECX require credentials and keys to access your providers. For example, ECX connects to the Oracle servers as the local operating system user specified during registration in order to perform tasks like cataloging, data protection, and data restores. ECX also logs into local database and ASM instances as this user through password-less OS authentication. Therefore, the user must have all the privileges ECX needs to perform its tasks.

ECX connects to Oracle servers as a local operating system user through a password or an SSH key. To use a key, enter a username and select or create an SSH key. When using a key, the username must exist as a local user on the Oracle server. For password-based authentication, the password must be correctly configured for the appropriate user on the Oracle server. For key-based authentication, the public key must be placed in the authorized_keys file for the appropriate user on the Oracle server. See Oracle Requirements.

Amazon Web Services (AWS) access keys and secret keys are configured through the AWS Management Console and then added to ECX.

The procedures below describe how to add keys and register associated Oracle or AWS providers.

Add an SSH key through the Generate a keypair for me method and register an associated provider

  1. In ECX, click the Configure Configure tab icon tab. On the Views pane, select Identities Identities icon , then the Keys tab.
  2. Click New Add Roles icon . The Create Key dialog displays.
  3. Select SSH as the key type and enter a key name in the Name field.
  4. Select Generate a keypair for me as the creation type and enter an optional comment. Click OK. A public key is generated and displays in the Create Key dialog. Copy the key. See the following steps to use this key to register an Oracle provider.
  5. On the Oracle server, execute cd ~/.ssh while logged in as Oracle user assigned to ECX. Paste and save the generated public key to the authorized_keys file.
  6. In ECX, click the Configure Configure tab icon tab. On the Views pane, select Sites & Providers Add Node icon. The Provider Browser opens.
  7. Right-click Oracle in the Provider Browser, then click Register Register icon. The Register Oracle Server dialog opens.
  8. Select a Site, enter a Name and Host Address.
  9. Select Key as the Authentication type. Enter the Oracle username, then select the key created in Step 2 in the Key field. Click OK. 

Add an SSH key through the I will provide a keypair method and register an associated provider

Generation of keys can occur on the ECX appliance using the command-line interface (CLI) or any other compatible server. In some circumstances, creating and adding a private/public SSH keypair generated on another host may be desirable. It is possible to generate SSH keypairs on another computer and then import them onto the ECX appliance as needed.

Note: Generally, private keys should not be generated on a client server and then transferred to the ECX appliance. It is strongly suggested that appropriate security measures be taken to protect the secrecy of the private keys. Loss or exposure of SSH private keys outside of the SSH host can severely compromise the security of communications using the SSH protocol. It is not recommended to copy private keys between different systems. If a new SSH keypair is needed, it is strongly advised that the procedure in the Add an SSH key through the Generate a keypair for me method and register an associated provider topic be followed to have the ECX appliance generate the keypair and then copy the public key to the intended host. If there is a special need to generate a keypair on another host, use the procedure outlined below and ensure that appropriate security measures are taken to create, secure, and enter the private key.

  1. Identify a machine that has SSH installed. This machine will be used to generate the new SSH keypair. Log in to the identified machine and launch the terminal.

  2. In the terminal, generate an SSH keypair by using the ssh-keygen command. Execute the ssh-keygen command:

    $ ssh-keygen

  3. When prompted, enter the full path name where the key pair will be output. A default file will be suggested by the ssh-keygen command. The default should only be used if a key has not yet been generated, otherwise, using the default may overwrite an existing SSH key pair. The default will typically appear as /home/<user_account>/.ssh/id_rsa.pub where <user_account> is the account used to log in to this system. Any valid path name could be used for the new SSH key, for example /home/<user_account>/newkey. If a key with the default name already exists, this will be indicated with the message displayed below. Be careful not to overwrite preexisting keys if they are in use and only overwrite these files if you intend to do so. Press N to enter a different file in which to save the key to avoid overwriting an existing keypair.

    /home/<user_account>/.ssh/id_rsa already exists. Overwrite (y/n)?

  4. Supply a passphrase and press Enter. Otherwise, press Enter for no passphrase.

  5. If a passphrase was supplied, enter it again. Press Enter.

  6. The key generation will produce two files, one with the path name supplied in the previous steps for the private key, and another ending in .pub is the public key. Using the default naming, this will be id_rsa and id_rsa.pub. The generated public key (ida_rsa.pub) will need to be transferred to the server to which the ECX appliance will connect. In this example, it will be an Oracle server. Transfer the public key to the Oracle server. For the remainder of this procedure, it is assumed that the keypair is saved in the default location using the default file names for the keypair: /home/<user_account>/.ssh/. If the keypair is created using a different file name, use that file name in the steps that follow.

  7. On the server to which the ECX appliance will connect and to which the public key has been copied, the key (ida_rsa.pub) will need to be appended to the user’s authorized_keys file. The authorized_keys file is generally found in the user’s SSH directory. For example, it may be found at the following location: /home/<user_account>/.ssh/authorized_keys. If the authorized_keys file does not exist, consult the operating system’s documentation for the procedure to properly creating this file. If the file exists, append the contents of the public key to the authorized_keys file. If this is not being done from the account that contains the authorized_keys file, it may be necessary to enter the su command to switch to that user. The step below assumes that you are logged into the server with the account that contains the authorized_keys file:

    $ cat ida_rsa.pub >> authorized_keys

    Note: This process can be automated using the ssh-copykey program from the computer used to generate the key. Consult the vendor’s documentation for details on usage of this program.

  8. Log in to the ECX appliance.

  9. Click on the Configure Configure tab icon tab. On the Views pane, select Identities Identities icon , and then click on the Keys tab.

  10. Click New Add Roles icon . The Create Key dialog displays.

  11. Select SSH as the key type and enter a name for the key in the Name field.

  12. Select I will provide a key pair as the creation method.

  13. On the server where the SSH keypair was generated, locate the private key (ida_rsa). For example, the key generated by this process is in the following directory: /home/<user_account>/.ssh/. Copy the contents of the private key (ida_rsa) to the ECX appliance into the Private Key field in the Create Key dialog.

  14. (Optional) It is highly recommended to copy the public key (ida_rsa.pub) into the Public Key field.

  15. (Optional) Enter a helpful comment so that the usage of the key can be easily recalled.

  16. Click OK to create the key.

  17. Once the key has been added to the ECX appliance, the server to which the ECX appliance will connect needs to be registered. In this example, an Oracle server is used. In the ECX appliance, click on the Configure tab.

  18. On the Views pane, select Sites & Providers Add Node icon. The Provider Browser opens.

  19. Right-click Oracle in the Provider Browser dialog and then click Register Register icon. The Register Oracle Server dialog opens.

  20. Select a Site, enter a name in the Name field and a host address in the Host Address field.

  21. Select Key as the Authentication type. Enter the username of the user account to which the public key was appended to the authorized_keys file on the host to which the ECX appliance will connect in Step 7. In this example, it is the Oracle server. Enter the Oracle username.

  22. Select the key created in Step 10 in the Key field. Click OK.

Add an Amazon Web Services (AWS) key and register an associated provider

  1. Create your AWS access key and secret key through the AWS Management Console. Make note of the access and secret keys, which will be used later in this procedure. See Managing Access Keys for IAM Users.
  2. In ECX, click the Configure Configure tab icon tab. On the Views pane, select Identities Identities icon , then the Keys tab.
  3. Click New Add Roles icon . The Create Key dialog displays.
  4. Select AWS as the key type and enter a key name in the Name field.
  5. Enter the access key and secret key created in Step 1 in the Access and Secret fields. Enter an optional comment. See the following steps to use this key to register an AWS provider.
  6. In ECX, click the Configure Configure tab icon tab. On the Views pane, select Sites & Providers Add Node icon. The Provider Browser opens.
  7. Right-click AWS AWS provider icon in the Provider Browser, then click Register Register icon. The Register Amazon Web Services dialog opens.
  8. Select a Site, enter a Name and select a Region.
  9. Click Select in the Access Key section, then select the key created above. Click OK.

RELATED TOPICS:

 

Catalogic ECX™ 2.12

© 2021 Catalogic Software, Inc. | All rights reserved. | 4/9/2021

MySupportKnowledge Base | Trademarks | info@catalogicsoftware.com