Preparing for an SSH connection between IBM i and SVC storage (7.4)

1 Background
2 Before you begin
3 Procedure
4 Results

Background

Communication between PowerHA and SVC is done using SSH. You must create SSH key pairs and attach the SSH public key to a user on the storage system. The corresponding private key file is specified when adding copy descriptions later in the configuration.

PowerHA uses SSH keys rather than passwords because they offer the following security advantages over using passwords:

Reduced risk of brute-force attacks: Due to their complex nature and length, SSH keys are virtually impossible to guess or crack through brute-force attempts.
No transmission of sensitive data: With passwords, the password is sent to the server. When using an SSH key, the private key remains on the client side, and no secret value is ever sent to the server. Even if at attacker caused the client to connect to a fake server, the SSH key remains safe as the fake server does not gain enough information about the key to compromise it.

Before you begin

This scenario assumes that the following tasks have been completed prior to these steps:

5770-SS1 Option 33 - Portable Application Solution Enviornment (PASE) is installed on all nodes in the cluster.
5733-SC1 *BASE and Option 1 - IBM Portable Utilities for i and OpenSSH, OpenSSL. zlib is installed on all nodes in the cluster

Procedure

Generate the SSH Key pair

The ssh-keygen command is used to generate a key pair.

Sign on with a user that has *ALLOBJ authority.
Go to Qshell by typing QSH.
Make the directory for the key pair: mkdir /QIBM/UserData/HASM/hads/.ssh/
Ensure the ownership of the .ssh directory is QHAUSRPRF: chown /QIBM/UserData/HASM/hads/.ssh/ QHAUSRPRF
Ensure the permissions of the .ssh directory limits access to just QHAUSRPRF: chmod 0700 /QIBM/UserData/HASM/hads/.ssh/
Navigate to the .ssh directory: cd /QIBM/UserData/HASM/hads/.ssh/
Use the ssh-keygen command to generate a public/private key pair. For example: ssh-keygen -t rsa -f id_rsa -N ''
The id_rsa file is the private key file that PowerHA uses to authenticate with the storage. The id_rsa.pub file is the public key file that is imported and associated with a user on the storage system.

Warning: PowerHA does not support using passphrases with the ssh keys. If prompted for a passphrase when generating an ssh key pair, press enter to generate a key pair with no passphrase.

Change the ownership and authority of the private key to QHAUSRPRF:
1. chown /QIBM/UserData/HASM/hads/.ssh/id_rsa QHAUSRPRF
2. chmod 0600 /QIBM/UserData/HASM/hads/.ssh/id_rsa QHAUSRPRF

Distribute the private key to other nodes in the Cluster

PowerHA expects the same private key file to be on all nodes in the cluster.

Create the same directory on other nodes in the cluster:
1. Go to Qshell by typing QSH.
2. Make the directory for the key pair: mkdir /QIBM/UserData/HASM/hads/.ssh/
3. Ensure the ownership of the .ssh directory is QHAUSRPRF: chown /QIBM/UserData/HASM/hads/.ssh/ QHAUSRPRF
4. Ensure the permissions of the .ssh directory limits access to just QHAUSRPRF: chmod 0700 /QIBM/UserData/HASM/hads/.ssh/
Use a file transfer mechanism such as FTP or SCP to transfer the private key to the directory /QIBM/UserData/HASM/hads/.ssh/ on the other nodes.
Change the ownership and authority of the private key to QHAUSRPRF:
1. chown /QIBM/UserData/HASM/hads/.ssh/id_rsa QHAUSRPRF
2. chmod 0600 /QIBM/UserData/HASM/hads/.ssh/id_rsa QHAUSRPRF
Repeat these steps for each node in the cluster

Associate the Public Key file with a user on the Storage Controller

The file name that ends in .pub, such as id_rsa.pub contains the public key. This file must be transferred to the storage controller and assigned to a user that has enough authority to perform PowerHA operations.

Transfer the public key file to your PC.
Log into the storage system GUI interface.
If you are logged in as the user that PowerHA will be using, click the user icon in the upper-right of the screen and select Manage SSH public Key.
1. Check the box to enable CLI access via SSH key exchange.
2. Browse to select the public key file transferred in step 1.
3. Click OK to save the changes
If you are not logged in as the user that PowerHA will be using, create or modify the user:
1. Navigate to Access → Users by Group.
2. If the user does not exist, click Create User
  1. Give the user a name such as powerha_mycluster
  2. For authentication mode use local.
  3. Select a security group.

Storage User Authority

For Performing replication functionality such as Metro Mirror, Global Mirror, or Asynchronous Policy-based Replication, PowerHA requires a minimum role of Copy Operator. If you want to use LUN-Level switching, the user in the storage must have a minimum role of Administrator because PowerHA must change host attachments when switching the IASP between systems.

iv. Select browse to specify the public key file such as id_rsa.pub.

Security Tip

It is not required to have a password set for the user that PowerHA uses. Therefore, we recommend not configuring a password. This will ensure that the only way to log in as this user is using the ssh private key.

v. Click Create.

If using replication such as Metro Mirror, Global Mirror, or Asynchronous Policy-based Replication, configure the user and keyfile for the second storage controller.

Results

The ssh keyfiles are created and distributed between nodes in the PowerHA cluster and the storage controllers are configured for ssh key authentication. PowerHA will be configured to use these key files when adding copy descriptions.

IBM Partnership