Setting up Security - trillium_quality - 17.2

Trillium TS Web Services Developer Guide

Product type
Software
Product family
Trillium
Product
Trillium > Trillium Quality
Version
17.2
Language
English
Product name
Trillium Quality
Title
Trillium TS Web Services Developer Guide
Topic type
How Do I
Administration
Installation
Overview
Reference
Configuration
First publish date
2008
ft:lastEdition
2024-02-07
ft:lastPublication
2024-02-07T07:49:45.774952

Setting up security involves the following steps:

  1. Set up SSH on Linux, as described in Set up SSH on Linux

  2. Generate public and private keys on the client (your PC), as described in Generate public and private keys using the Putty tool and Generate public and private keys using the SSH command line interfaceor use the keys in the package.

    There are three tools available to set up security on Linux:

    • Putty (a free UI tool available on the Internet)

    • CYGWIN (a free SSH toolkit SDK available on the Internet)

    • SSH command line

    Trillium recommends either the Putty or CYGWIN method, which uses the standard steps and copies the public key from the client to the server. The SSH command line method requires copying the private key from the server to the client, which is not recommended.

  3. Create a passphrase.

  4. Copy the public key from the client to the Linux server.

  5. Append the public key to the authorized_keys file.

  6. Insert the Trillium command script directive before the public key entry inside the authorized_keys file.

To set up SSH on Linux:

Follow this step if a system administrator or authorized user needs to set up SSH to work with a user account on Linux.

Create a .ssh directory for a Trillium user or authorized user and set necessary permissions.Example

cd ~  (home directory or Trillium user directory)
mkdir .ssh
chmod 700 .ssh

To generate public and private keys using the Putty tool:

You can use Putty or CYGWIN to generate public and private keys. The Putty tool method is described as an example.

Note: It is assumed that you have installed Trillium Director components on a Linux based system and you want to provide secure access to that system using the Director System Manager.
  1. Start puttygen.exe. The PuTTY Key Generator window opens.

  2. In Parameters, select ECDSA (the default algorithm uses NISTP256).

  3. In Actions, click Generate. The key will be generated.

    Figure 1. Putty Key Generator

  4. In Key passphrase, enter your key passphrase and confirm it.

  5. Select Conversions > Export OpenSSH key. Save the file.

  6. Highlight the entire text of the public key and copy it to the clipboard.

  7. Open a text editor such as Notepad and paste the key.

  8. Save the public key file using the same name as the private key file with a file extension of .pub. This helps you tell which files are paired.

    If you are running the Director System Manager using a special Trillium user created by the administrator on Linux, give this public key to the administrators and have them perform the following steps.

    If you are running the Director System Manager using your own user id on Linux, you can do the following steps by yourself to your own user account.

  9. Append the public key to the authorized_keys file and set necessary permissions.

    The ~user directory on Linux is configured by the administrator to have a subdirectory of .ssh. This directory holds the authorized_keys file used by OpenSSH.

       Example
    cd ~/.ssh(the .ssh directory in home directory)
    cat directorkey.pub >> authorized_keys
    chmod 644 authorized_keys    
  10. Open the authorized_keys file and add the following Trillium command before the word ecdsa-sha2-nistp256 which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.

    command="/<linux_trillium_software_location>/trilsecure.sh"

   Example

   Before:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNo…EVsaDRkT0flBxqo=
   After:
command="/Vendors/TrilliumSoftware/tsq/
Software/bin/trilsecure.sh" ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNo…EVsaDRkT0flBxqo=
Note:  If you are using Tectia, see Tectia’s documentation.

Rather than using Putty or CYGWIN, you can use the SSH command line interface on the server side invoking the ssh-keygen tool. You could do this step in your user account, or a system administrator could do this step in a designated Trillium user account.

To generate public and private keys using the SSH command line interface:

  1. Change directory to .ssh

  2. Using the following interactive script command, generate public and private keys with passphrase.

       ssh-keygen -t ecdsa

       Example
    Enter file to save key: directorkey
    Enter Passphrase: *******
    Re-Enter Passphrase: *******

       The following key files are generated in this example:

    • directorkey.pub. The public key which will be required on the server.

    • directorkey. The private key that stays on the client.

    Record the passphrase you created for this key. In the Director System Manager, you will need to specify both the private key file and its passphrase. Whenever you attempt to perform secured functionality for Linux-based Director services, the public key file and its passphrase are required.

  3. Copy the private key to the remote client machine. You can copy the private key file to your client PC on which the Director System Manager runs to anywhere on your PC. The private key is useless without a passphrase. Only you know that passphrase.

  4. Append the public key file to the authorized_keys file and set necessary permissions.

       Example
    cd ~/.ssh(the .ssh directory in your home directory)
    cat directorkey.pub >> authorized_keys
    chmod 644 authorized_keys (necessary permissions)
  5. Open the authorized_keys file and add the following Trillium command before the word ecdsa-sha256nistp256 which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.
    command="/<linux_trillium_software_bin_location>/
    trilsecure.sh"

   Example

   Before:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNo…EVsaDRkT0flBxqo=
   After:
command="/Vendors/TrilliumSoftware/tsq/
Software/bin/trilsecure.sh" ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNo…EVsaDRkT0flBxqo=