Setting up Security - trillium_quality

Setting up security involves the following steps:

Set up SSH on Linux, as described in Set up SSH on Linux
Generate public and private keys on the client (your PC), as described in Generate public and private keys using the Putty tool and Generate public and private keys using the SSH command line interfaceor use the keys in the package.

There are three tools available to set up security on Linux:
- Putty (a free UI tool available on the Internet)
- CYGWIN (a free SSH toolkit SDK available on the Internet)
- SSH command line
Trillium recommends either the Putty or CYGWIN method, which uses the standard steps and copies the public key from the client to the server. The SSH command line method requires copying the private key from the server to the client, which is not recommended.
Create a passphrase.
Copy the public key from the client to the Linux server.
Append the public key to the authorized_keys file.
Insert the Trillium command script directive before the public key entry inside the authorized_keys file.

To set up SSH on Linux:

Follow this step if a system administrator or authorized user needs to set up SSH to work with a user account on Linux.

Create a .ssh directory for a Trillium user or authorized user and set necessary permissions.Example

cd ~  (home directory or Trillium user directory)
mkdir .ssh
chmod 700 .ssh

To generate public and private keys using the Putty tool:

You can use Putty or CYGWIN to generate public and private keys. The Putty tool method is described as an example.

Note: It is assumed that you have installed Trillium Director components on a Linux based system and you want to provide secure access to that system using the Director System Manager.

Start puttygen.exe. The PuTTY Key Generator window opens.
In Parameters, select SSH-2 RSA.
In Actions, click Generate. The key will be generated.

Figure 1. Putty Key Generator
In Key passphrase, enter your key passphrase and confirm it.
Select Conversions > Export OpenSSH key. Save the file.
Highlight the entire text of the public key and copy it to the clipboard.
Open a text editor such as Notepad and paste the key.
Save the public key file using the same name as the private key file with a file extension of .pub. This helps you tell which files are paired.

If you are running the Director System Manager using a special Trillium user created by the administrator on Linux, give this public key to the administrators and have them perform the following steps.

If you are running the Director System Manager using your own user id on Linux, you can do the following steps by yourself to your own user account.
Append the public key to the authorized_keys file and set necessary permissions.

The ~user directory on Linux is configured by the administrator to have a subdirectory of .ssh. This directory holds the authorized_keys file used by OpenSSH.
Example
```
cd ~/.ssh(the .ssh directory in home directory)
cat directorkey.pub >> authorized_keys
chmod 644 authorized_keys    
```
Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.
```
command="/<linux_trillium_software_location>/trilsecure.sh"
```

Example

Before:

ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

After:

command="/Vendors/TrilliumSoftware/tsq/
Software/bin/trilsecure.sh" ssh-rsa
AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

Note: If you are using Tectia, see Tectia’s documentation.

Rather than using Putty or CYGWIN, you can use the SSH command line interface on the server side invoking the ssh-keygen tool. You could do this step in your user account, or a system administrator could do this step in a designated Trillium user account.

To generate public and private keys using the SSH command line interface:

Change directory to .ssh
Using the following interactive script command, generate public and private keys with passphrase.

ssh-keygen -t rsa
Example
```
Enter file to save key: directorkey
Enter Passphrase: *******
Re-Enter Passphrase: *******
```
The following key files are generated in this example:
- directorkey.pub. The public key which will be required on the server.
- directorkey. The private key that stays on the client.
Record the passphrase you created for this key. In the Director System Manager, you will need to specify both the private key file and its passphrase. Whenever you attempt to perform secured functionality for Linux-based Director services, the public key file and its passphrase are required.
Copy the private key to the remote client machine. You can copy the private key file to your client PC on which the Director System Manager runs to anywhere on your PC. The private key is useless without a passphrase. Only you know that passphrase.

Append the public key file to the authorized_keys file and set necessary permissions.

Example

cd ~/.ssh(the .ssh directory in your home directory)
cat directorkey.pub >> authorized_keys
chmod 644 authorized_keys (necessary permissions)

Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.
```
command="/<linux_trillium_software_bin_location>/
trilsecure.sh"
```

Example

Before:

ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

After:

command="/Vendors/TrilliumSoftware/tsq/
Software/bin/trilsecure.sh" ssh-rsa
AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

Setting up Security - trillium_quality - 17.1

Trillium TS Web Services Developer Guide