Adding an SSH key

Add an SSH key.

Tip

To create an SSH key on the target Linux server, follow the instructions in IBM Spectrum Protect Plus Installation and User’s Guide.

Method and URI

To add an SSH key, use a POST method with a URI:

POST    https://{hostname|IPv4}/api/identity/key

Parameters

None.

Data

Data 1: name

The name of the SSH key.

  • Example value: BlueMachines Amazon S3 California Key

  • Type: String. Required. Available in the web user interface.

Data 2: user

A username of the target Linux server you want to establish an SSL connection.

  • Example value: sarah-oracle1

  • Type: String. Required. Available in the web user interface.

Data 3: keytype

The type of key.

  • Value: ssh_private_key

  • Type: System string. Required. Available in the web user interface.

Data 4: privatekey

The private SSH key of the target Linux server. Replace new lines with the escape sequence characters:

\n
  • Example value:

-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-1
↪28-CBC,08295638...\n\nUbdH2oDSWTCkWrxWsLaDvEvV77O4vZhxDkcE6plRYyp8d4aCQ
↪...
↪wS1Ff2nxnW/7A9i9yKRGvFIiaotFIoa43ZLA8ivn\n-----END RSA PRIVATE KEY-----
  • Type: String. Required. Available in the web user interface.

Data 5: passphrase

The optional passphrase for the SSH key of the target Linux server. It may be different from the user password of the Linux server.

  • Example value: E^vBQ:9!Y)w<pNw~

  • Type: String. Available in the web user interface.

Example: Create an SSH key

Assume that you want to establish a secure connection between IBM Spectrum Protect Plus and a Linux server that hosts an Oracle Database. You log in to the Linux server and generate an SSH public key and private key:

[sarah@workstation ~ ] ssh sarah-oracle1@10.4.4.1  # oracle-dallas1
sarah-oracle1@10.4.4.1's password: A'mK'"~RPtY=*k(h
...
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sarah-oracle1/.ssh/id_rsa):
Created directory '/home/sarah-oracle1/.ssh'.
Enter passphrase (empty for no passphrase): E^vBQ:9!Y)w<pNw~
...
Your identification has been saved in /home/sarah-oracle1/.ssh/id_rsa.
Your public key has been saved in /home/sarah-oracle1/.ssh/id_rsa.pub.
...
The key's randomart image is:
+---[RSA 2048]----+
|     +.o=o  o    |
...
+----[SHA256]-----+
$ cat /home/sarah-oracle1/.ssh/id_rsa.pub
ssh-rsa 22EYOeQkIV0Olveps...
$ cat /home/sarah-oracle1/.ssh/id_rsa.pub \
  >> /home/sarah-oracle1/.ssh/authorized_keys
$ chmod 600 \
  /home/sarah-oracle1/.ssh/authorized_keys
$ sudo cp /etc/ssh/sshd_config{,.bak}
$ sudo vi /etc/ssh/sshd_config    # Enable: PubkeyAuthentication yes
$ systemctl restart sshd
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Multiple identities can be used for authentication:
 1.  oracle
 2.  grid
 3.  sarah-oracle1
Choose identity to authenticate as (1-3): 3
Password: A'mK'"~RPtY=*k(h
==== AUTHENTICATION COMPLETE ===
$ cat /home/sarah-oracle1/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4E9A0765C9067B52F06549D610C6591A

xbeIIcosQ5TsuqXirKJFlgOz1ryQus7RrapZcBgSuZ8PdVXvtvYDBA2qRo79G4OY
...
Pnidu8/8iFy7uoNe9F5J6h40g6S1vI58Ub/e9fbgIzd2NO5MhYkc5c0a8I1rhUq1
-----END RSA PRIVATE KEY-----
$

The SSH key you have generated on the Linux server can be summarized as below:

  • Name: Oracle - Dallas 1 SSH

  • User: sarah-oracle1

  • Private key: See the Python snippet.

  • Passphrase: E^vBQ:9!Y)w<pNw~

A Python snippet that is similar to the following example can be used to send a request to IBM Spectrum Protect Plus to add the new SSH key:

privatekey_original = f'''-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4E9A0765C9067B52F06549D610C6591A

xbeIIcosQ5TsuqXirKJFlgOz1ryQus7RrapZcBgSuZ8PdVXvtvYDBA2qRo79G4OY
...
Pnidu8/8iFy7uoNe9F5J6h40g6S1vI58Ub/e9fbgIzd2NO5MhYkc5c0a8I1rhUq1
-----END RSA PRIVATE KEY-----'''


privatekey = privatekey_original.replace('\n', '\\n')  # Replace new lines with \n

_data = f'''{{
    "name":       "Oracle - Dallas 1 SSH",
    "user":       "sarah-oracle1",
    "keytype":    "ssh_private_key",
    "privatekey": "{privatekey}",
    "passphrase": "E^vBQ:9!Y)w<pNw~"
}}'''

requests.post('https://' + spp_ipv4 + '/api/identity/key',
    headers={...}, data=_data, verify=...)
_images/reference_ssh_create01.png

Figure 62 The same action can be taken in the IBM Spectrum Protect Plus web user interface: In the Keys and Certificates pane, click the SSH Keys tab. Click Add SSH Key. In the Add New SSH Key section, enter the name, username, and private key, and click Save. You can select the Enctypted checkbox and enter the password to encrypt the SSH connection.

After you run the Python snippet, ensure that you get a response with the HTTP status of 200 (OK) and that the SSH key settings are updated. This request is similar to the one that you used to create the SSH key; compare the HTTP request method, the URI, the data values, and the HTTP status code in the response. The response body is similar to the JSON object for the original SSH key, as shown in Getting information about access keys and SSH keys.