It's all about the answers!

Ask a question

BuildForge/RAFW and ssh certificate authentication


Laura Venturini (661138) | asked May 28 '10, 9:45 a.m.
Hi all,
launching the RAFW environment generation wizard, both for the generation of a new environment and the import of an existing WebSphere cell/server, it is necessary to explicitly write down the user name and password of the user under which the WebSphere process will run.
The customer is asking if it's possible to avoid writing the password, loading instead the ssh certificate (used for the authentication).

The same request is also for BuildForge server authentication section...

Thanks
Laura

9 answers



permanent link
Timothy Robertson (216143) | answered Jun 01 '10, 12:08 p.m.
Using SSH keys is supported in RAFW. You can choose to use ssh keys or you can choose to connect with a password to the target system. Additionally, if you use ssh keys, an empty passphrase is no longer required, in fact any passphrase (empty or otherwise) is supported.

The steps needed to configure RAFW are outlined in the remainder of this post.

Option 1: Login w/ username/password

-During env generation supply the os_password
-The OS Password will be encrypted before being stored in the generated environment tree.
-test connectivity (see below)

Option 2. Use ssh keys

Here the setup instructions are more complex but security is improved

-use ssh-keygen to generate the key, you can still use empty pass phrases, or you can supply a pass phrase
-copy the public keys to the authorized keys file on the target system (like you normally would)
-copy id_rsa id_rsa.pub (just an example, could be id_dsa id_dsa.pub depending on your key type) from .ssh on the Framework Server to $RAFW_HOME/user/keys/
-rename these files as
-ssh_id
-ssh_id.pub
-during environment generation supply the pass phrase that your used when you created your key for the os_password (this will accept an empty string if you created a key with an empty pass phrase)
-The pass phrase will be encrypted before being stored in the generated environment tree.
-test connectivity (see below)
Testing Connectivity

To test connectivity I use rafw.sh -e env -c cell -n node

This will verify that I can connect to the target system (TS) as well as transfer the product to the TS. No action will be run on the TS.

permanent link
Peter Birk (501145) | answered Jun 01 '10, 3:23 p.m.
JAZZ DEVELOPER

The same request is also for BuildForge server authentication section...


Hi Laura,

For Build Forge, if you run the Agent as a non-root user, you don't have to send the server auth userid/password to it. You can secure access to the agent using SSL client authentication. The steps to configure SSL on the agent are documented in the Build Forge installation guide (for 7.1.1 and later). To enable SSL client authentication at the agent, unremark the "client_authentication true" line in bfagent.conf. Let me know if you have additional questions.

Regards,
Pete

permanent link
sriram thiruvenkatachari (8698) | answered Aug 17 '10, 3:11 p.m.
I am trying to do something very similar. Was able to get the SSH working for RAFW, but having trouble with the BF agent. Would appreciate some assistance.

I followed the BF documentation in setting up the SSL (temporarily used keys thats comes from build forge) on the agent side. I was able to start the agent successfully after enabling SSL.

When connecting from the console, I am getting functional failure when testing the server definition. I have enabled the "ssl enabled" field. The agent is running as a root on the destination machine.

Thanks

permanent link
sriram thiruvenkatachari (8698) | answered Aug 17 '10, 3:30 p.m.
Just want to add additional info. Enabled debugging Agent. On the agent side, the start up comes clean. Here is the message I get.


528416] main.c : 404: === NEW AGENT ===
platform.c : 151: ICONV ok
platform.c :1837: LOCALE ok(LANG)
io.c : 268: In start_SSL
io.c : 73: FIPS enabled: false
io.c : 92: Key location: /usr/local/bin/buildForgeKey.pem
bfpwdlocloader.c: 38: Looking for password locator: ssl_key_password_locator
bfpwdlocloader.c: 106: No password encryption module is found.
bfpwdlocloader.c: 244: Looking for password for prop ssl_key_password from bfagent.conf.
bfcryptloader.c : 575: Password decoded.
io.c : 101: Cert location: /usr/local/bin/buildForgeCert.pem
bfpwdlocloader.c: 38: Looking for password locator: ssl_cert_password_locator
bfpwdlocloader.c: 106: No password encryption module is found.
bfpwdlocloader.c: 244: Looking for password for prop ssl_cert_password from bfagent.conf.
io.c : 156: Setting key password in default userdata.
io.c : 163: Getting private key from PEM.
io.c : 169: Checking private key from PEM.
io.c : 175: Getting CA store information.
bfpwdlocloader.c: 38: Looking for password locator: ssl_ca_password_locator
bfpwdlocloader.c: 106: No password encryption module is found.
bfpwdlocloader.c: 244: Looking for password for prop ssl_ca_password from bfagent.conf.
io.c : 181: CA location: /usr/local/bin/buildForgeCert.pem
io.c : 187: Checking the CA store.
io.c : 233: Returning from init_CTX.
io.c : 285: Calling SSL_new
io.c : 298: Calling SSL_accept.

On the engine side, when testing the connection, I do not get any error messages except the one below.


Tue Aug 17 15:28:09 2010: Services: 659474: CRRBF1381I: Established connection to Build Forge Services.
Tue Aug 17 15:28:10 2010: ServerTest: 659474: CRRBF0364I: Agent Test initiated for server 'nc006txxx'.
Tue Aug 17 15:28:13 2010: ServerTest: 659474: CRRBF0363I: Agent test completed for server 'nc006txxx', setting error status to 'Y'.

permanent link
Peter Birk (501145) | answered Aug 25 '10, 8:06 p.m.
JAZZ DEVELOPER
Set the following ENV variable on the console server, prior to starting the console: SET BFDEBUG_SECURITY=1
(or export on Unix).

Then run "bfservertest <servername>" and it should have the same connection issue but with a lot more information.

Regards,
Pete

permanent link
sriram thiruvenkatachari (8698) | answered Aug 31 '10, 10:53 a.m.
Thanks. How can I setup the agent to run as a non-root user. I believe the issues I am having might be related to the process running as root.

Thanks,

permanent link
Peter Birk (501145) | answered Aug 31 '10, 11:01 a.m.
JAZZ DEVELOPER
Thanks. How can I setup the agent to run as a non-root user. I believe the issues I am having might be related to the process running as root.

Thanks,


1) Run the agent service as non-root.

2) Configure the agent with the magic_login feature. Edit bfagent.conf and configure the magic_login user/pass. You can configure the pass via bfagent -e <pass> and put the one-way hash in the password field of the magic_login line.

Example: magic_login build:823bf1ded7df5fc300f7f25a82ada0b02da7dfe631e20912e843

To obtain the one-way hash of password:
C:\Program Files\IBM\Build Forge\Agent>bfagent -e password
823bf1ded7df5fc300f7f25a82ada0b02da7dfe631e20912e843

3) Save bfagent.conf.

4) Configure a server auth with the same userid/password which will be sent to the agent. The agent is going to compare the userid/hash(password) sent with what's in bfagent.conf. If it matches, it allows the command to execute with the credentials running the agent.

Another way to do this is to configure mutual SSL between the agent and the console. This establishes the trust in the console necessary for the agent to execute a command securely.

Let me know if you have any questions about this.

Regards,
Pete

permanent link
sriram thiruvenkatachari (8698) | answered Aug 31 '10, 11:34 a.m.
Thanks. How can I setup the agent to run as a non-root user. I believe the issues I am having might be related to the process running as root.

Thanks,


1) Run the agent service as non-root.

2) Configure the agent with the magic_login feature. Edit bfagent.conf and configure the magic_login user/pass. You can configure the pass via bfagent -e <pass> and put the one-way hash in the password field of the magic_login line.

Example: magic_login build:823bf1ded7df5fc300f7f25a82ada0b02da7dfe631e20912e843

To obtain the one-way hash of password:
C:\Program Files\IBM\Build Forge\Agent>bfagent -e password
823bf1ded7df5fc300f7f25a82ada0b02da7dfe631e20912e843

3) Save bfagent.conf.

4) Configure a server auth with the same userid/password which will be sent to the agent. The agent is going to compare the userid/hash(password) sent with what's in bfagent.conf. If it matches, it allows the command to execute with the credentials running the agent.

Another way to do this is to configure mutual SSL between the agent and the console. This establishes the trust in the console necessary for the agent to execute a command securely.

Let me know if you have any questions about this.

Regards,
Pete

Thanks Pete.
I am getting very close. Did all the changes on the agent side and see the agent process running under non-root after changes. When connecting from the console, I am getting the below error. I updated the console server auth with the hash.

Also, I would like to compare this with the mutual ssl between agent and console. Can you refer me to a link to enable that. Thanks,

Getting IPV6 Address info...
Use of uninitialized value in concatenation (.) or string at /PerlApp/BuildForge
/Agent/Connection.pm line 162.
IPV6: Family , Type , Proto , CannonName []
Decoded password.
Password was already plaintext.
Password was already plaintext.
SSL_ca_file: ./keystore/buildForgeCA.pem
SSL_cert_file: ./keystore/buildForgeCert.pem
SSL_key_file: ./keystore/buildForgeKey.pem
SSL_verify_mode: 0x01
SSL_version: TLSv1
SSL_cipher_list: ALL
SSL_use_cert: 1
Making as SSL connection using socket: IO::Socket::INET=GLOB(0x40fd7bc).
Platform: MSWin32
SSL connection to agent.
DEBUG: .../IO/Socket/SSL.pm:1387: new ctx 32893416
DEBUG: .../IO/Socket/SSL.pm:880: dont start handshake: IO::Socket::SSL=GLOB(0x40
fd7bc)
DEBUG: .../IO/Socket/SSL.pm:284: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:327: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1135: SSL connect attempt failed with unknown errore
rror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

DEBUG: .../IO/Socket/SSL.pm:333: fatal SSL error: SSL connect attempt failed wit
h unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
DEBUG: .../IO/Socket/SSL.pm:1422: free ctx 32893416 open=32893416 67030920
DEBUG: .../IO/Socket/SSL.pm:1425: OK free ctx 32893416
Socket is of type: IO::Socket::SSL=GLOB(0x40fd7bc)
Socket errstr (if applicable): SSL connect attempt failed with unknown errorerro
r:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Handshake successful? --> -1 (1 if successful handshake, -1 if unsuccessful hand
shake, false if not open)
ReadyLine: .
Agent Connecting...
---- Disconnect Called from ,,
3720 PRE:
3720 PRE:
3720 PRE:
08/31/2010 11:29:07 AM: ServerTest: 3720: CRRBF0363I: Agent test completed for s
erver 'nc006t023', setting error status to 'Y'.
DEBUG: .../IO/Socket/SSL.pm:1422: free ctx 67030920 open=67030920
DEBUG: .../IO/Socket/SSL.pm:1425: OK free ctx 67030920

permanent link
Peter Birk (501145) | answered Aug 31 '10, 11:49 a.m.
JAZZ DEVELOPER
It appears that SSL is enabled on one side of the connection, but disabled on the other side. If you have SSL enabled in the server panel (console), make sure bfagent.conf on the agent system has the SSL properties enabled.

The key indicator is SSL3_GET_RECORD:wrong version number. This indicates SSL is probably enabled in the console but not the agent.

DEBUG: .../IO/Socket/SSL.pm:333: fatal SSL error: SSL connect attempt failed with unknown errorerror:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Regards,
Pete

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.