When a 3rd party tool, such as PPM (Project and Portfolio Management) and Venafi (ssl cert tool), needs to access Oracle EBS server, we usually have to share applmgr password to other teams. The bigger challenge is that when the password is changed periodically by security requirement on EBS server, 3rd party's process will fail. The good and efficient way is to provide them with the private key for them to log onto EBS server without entering the password. Steps to accomplish that on RHEL8 servers:
On Oracle EBS server ebs2d (local server):
1. Generate a pair of key files
$ hostname
ebs2d
$ echo $USER
applmgr
$ ssh-keygen -t rsa -b 2048 -f $HOME/.ssh/Venafi_id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /u06/app/.ssh/Venafi_id_rsa.
Your public key has been saved in /u06/app/.ssh/Venafi_id_rsa.pub.
The key fingerprint is:
SHA256:3y1+M95Js+4k383juI/qSsxxxxxxx applmgr@ebs2d.domain.com
The key's randomart image is:
+---[RSA 2048]----+
| . . |
| ... ... |
+----[SHA256]-----+
$ cd .ssh
$ ls -alZ
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 Venfi_id_rsa
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 409 Jun 4 20:27 Venafi_id_rsa.pub
-rw-------. 1 applmgr grp system_u:object_r:unlabeled_t:s0 3563 Jan 16 11:35 known_hosts
2. Make file authorized_keys as a copy of public key file Venafi_id_rsa.pub (or, add the key to file authorized_keys)
$ cat id_rsa.pub >> authorized_keys # (if authorized_keys exists, back it up first)
$ chmod 600 authorized_keys # <= right permission is important
3. Change the labels on file authorized_keys (in RHEL8 OS)
$ chcon -u system_u authorized_keys
$ chcon -t user_home_t authorized_keys
$ ls -alZ
-rw-------. 1 applmgr grp system_u:object_r:user_home_t:s0 409 Jun 4 20:29 authorized_keys
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 Venafi_id_rsa
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 409 Jun 4 20:27 Venafi_id_rsa.pub
-rw-------. 1 applmgr grp system_u:object_r:unlabeled_t:s0 3563 Jan 16 11:35 known_hosts
4. Copy private key Venafi_id_rsa to remote server venafi1p and name it meaningfully. Or, send file Venafi_id_rsa to other trusted teams if requested.
$ scp -p Venafi_id_rsa usrID@venafi1p:/path/to/applmgr_ebs2d_Venafi_key
Password:
Venafi_id_rsa 100% 1843 903.2KB/s 00:00
NOTES: if get errors, such as " The ECDSA host key for venafi1p has changed, ...", run
$ ssh-keygen -R venafi1p
On remote server venafi1p (host of 3rd party tool):
After received the private key applmgr_ebs2d_Venafi_key, other team can use ssh, scp or sftp to connect to Oracle EBS server ebs2d using the private key credential (i.e. without entering applmgr's password).
$ hostname
venafi1p
$ echo $USER
usrID
$ cd /path/to
$ ls -alZ
-rw-------. 1 usr group unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 applmgr_ebs2d_PPM_key
$ ssh -i /path/to/applmgr_ebs2d_Venafi_key applmgr@ebs2d
Connected!
$ hostname
ebs2d
$ echo $USER
applmgr
The goal is reached: Venafi server can set up a process or a script (using sftp or scp) to send ssl certificate to EBS server ebs2d smoothly for periodical cert renewal.
My old post has more details on running ssh, sftp, scp between servers without a password.
No comments:
Post a Comment