Setting up Security - trillium_quality - 17.2

Trillium Director User Guide

Product type
Software
Product family
Trillium
Product
Trillium > Trillium Quality
Version
17.2
Language
English
Product name
Trillium Quality
Title
Trillium Director User Guide
Topic type
How Do I
Overview
Configuration
Reference
Administration
Installation
First publish date
2008

Setting up security involves the following steps:

  1. System administrator sets up SSH on Linux, described in set up SSH on Linux.

  2. Generate public and private keys on the client (your PC), as described in generate public and private keys using the Putty tool and n generate public and private keys using the SSH command line interface, or use the keys in the package.

    There are three tools available to set up security on Linux:

    • Putty (a free UI tool available on the Internet)

    • CGWIN (a free SSH toolkit SDK available on the Internet)

    • SSH command line

    Trillium recommends either the Putty or CGWIN method, which uses the standard steps and copies the public key from the client to the server. The SSH command line method requires copying the private key from the server to the client, which is not recommended.

  3. Create a passphrase.

  4. Copy the public key from the client to the Linux server.

  5. Append the public key to the authorized_keys file.

  6. Insert the Trillium command script directive before the public key entry inside the authorized_keys file.

To set up SSH on Linux

Follow this step if a system administrator or authorized user needs to set up SSH to work with a user account on Linux.

Create a .ssh directory for a Trillium user or authorized user and set necessary permissions.

Example

   cd ~  (home directory or Trillium user directory)
   mkdir .ssh
   chmod 700 .ssh

To generate public and private keys using the Putty tool

You can use Putty or CGWIN to generate public and private keys. The Putty tool method is described as an example.

Note: It is assumed that you have installed Trillium Director components on a Linux based system and you want to provide secure access to that system using the Director System Manager.
  1. Start puttygen.exe. The PuTTYKey Generator window opens.

  2. In Parameters, select SSH-2 RSA.

  3. In Actions, click Generate. The key will be generated.

    Figure 1. Putty Key GeneratorPutty Key Generator
  4. In Key passphrase, enter your key passphrase and confirm it.

  5. Select Conversions > Export OpenSSH key. Save the file.

  6. Highlight the entire text of the public key and copy it to the clipboard.

  7. Open a text editor such as Notepad and paste the key.

  8. Save the public key file using the same name as the private key file with a file extension of .pub. This helps you tell which files are paired.

    If you are running the Director System Manager using a special Trillium user created by the administrator on Linux, give this public key to the administrators and have them perform the following steps.

    If you are running the Director System Manager using your own user id on Linux, you can do the following steps by yourself to your own user account.

  9. Append the public key to the authorized_keys file and set necessary permissions.

    The ~user directory on Linux is configured by the administrator to have a subdirectory of .ssh. This directory holds the authorized_keys file used by OpenSSH.

       Example

       cd  ~/.ssh   (the .ssh directory in home directory)   cat  directorkey.pub >> authorized_keys   chmod 644  authorized_keys    
  10. Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.

    command="/<linux_trillium_software_bin_location>/trilsecure.sh"

   Example

   Before:

   ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

   After:

   command="/Vendors/TrilliumSoftware/tsq/Software/bin/   trilsecure.sh" ssh-rsa   AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01
Note: If you are using Tectia, see Tectia’s documentation.

Rather than using Putty or CGWIN, you can use the SSH command line interface on the server side invoking the ssh-keygen tool. You could do this step in your user account, or a system administrator could do this step in a designated Trillium user account.

To generate public and private keys using the SSH command line interface

  1. Change directory to .ssh

  2. Using the following interactive script command, generate public and private keys with passphrase.

       ssh-keygen -t rsa
    Note: If you are on Red Hat 8, you need to run the command: ssh-keygen -m PEM

       Example

       Enter file to save key:  directorkey
       Enter Passphrase: *******
       Re-Enter Passphrase: *******

       The following key files are generated in this example:

    • directorkey.pub. The public key which will be required on the server.

    • directorkey. The private key that stays on the client.

    Record the passphrase you created for this key. In the Director System Manager, you will need to specify both the private key file and its passphrase. Whenever you attempt to perform secured functionality for Linux-based Director services, the public key file and its passphrase are required.

  3. Copy the private key to the remote client machine. You can copy the private key file to your client PC on which the Director System Manager runs to anywhere on your PC. The private key is useless without a passphrase. Only you know that passphrase.

  4. Append the public key file to the authorized_keys file and set necessary permissions.

       Example

       cd  ~/.ssh   (the .ssh directory in your home directory)
       cat  directorkey.pub >> authorized_keys
       chmod 644  authorized_keys     (necessary permissions)
  5. Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.

command="/<linux_trillium_software_bin_location>/trilsecure.sh"

   Example

   Before:

   ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01

   After:

   command="/Vendors/TrilliumSoftware/tsq/Software/bin/
   trilsecure.sh" ssh-rsa
   AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01