BE Homes Discovery in the TEA Web UI fails when using an OpenSSH-formatted private key
Article ID: KB0072533
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 6.x |
Description
When attempting to add a new BE TEA Agent machine in the TEA Server Web UI, I want the TEA Server to automatically discover the BE installations on this machine. But when I click 'Discover BE Installations', no BE installations are found. The 'Create Machine' dialog appears to refresh, but no informative message is displayed to indicate what is wrong.
If I then continue to add the machine anyway (by clicking 'Save' in the 'Create Machine' dialog), navigate to the machine's details page (under 'Machine Management'), then click 'Discover BE Home', I see an error message is displayed in the TEA Server Web UI: "Host are not authenticated":
If I then create a new deployment, and then attempt to create a new instance (on the 'All Instances' details page for the deployment), I see the message "Host is not authenticated" in the 'PU Instance Creation' dialog:
If I then continue to add the machine anyway (by clicking 'Save' in the 'Create Machine' dialog), navigate to the machine's details page (under 'Machine Management'), then click 'Discover BE Home', I see an error message is displayed in the TEA Server Web UI: "Host are not authenticated":
If I then create a new deployment, and then attempt to create a new instance (on the 'All Instances' details page for the deployment), I see the message "Host is not authenticated" in the 'PU Instance Creation' dialog:
Issue/Introduction
Describes the unexpected behavior that is seen when attempting to use an OpenSSH-formatted private key for password-less SSH authentication between the TEA Server machine and the BE TEA Agent machine.
Environment
All Supported Platforms
Resolution
These behaviors and messages indicate that the private SSH key (needed for password-less authentication between the TEA Server and BE TEA Agent machines) was generated using the newer OpenSSH format. This can be confirmed by enabling debug level logging (according to Knowledge Article: "How to Enable Debug Logging for TIBCO TEA Agent"). The resulting log file (under $BE_HOME/teagent/logs/be-teagent.log) will show lines similar to the following:
You can also inspect the private key file in a text editor, and review the header line:
As of OpenSSH version 7.8 (used by RHEL 8.x), this format is now the default format for OpenSSH-related tools like 'ssh-keygen'. Refer to the OpenSSH 7.8 release notes for details.
The solution is to generate your SSH keys in PEM format instead. For example..
This should result in the proper key format, which can be confirmed by inspecting the key file in a text editor. The header line should now look like the following:
DEBUG jsch_group_op-0 [management.util.ManagementUtil] - Key Exchange algorithm used: DEBUG jsch_group_op-0 [management.util.ManagementUtil] - Attempting authentication to ec2-user@<host_ip>:22 using PRIVATE KEY '/home/ec2-user/.ssh/memdump.pem' DEBUG jsch_group_op-0 [common.pool.GroupJob] - Failed to get operating systems details for <host_ip> host ... DEBUG jsch_group_op-0 [management.util.ManagementUtil] - Key Exchange algorithm used: DEBUG jsch_group_op-0 [management.util.ManagementUtil] - Attempting authentication to ec2-user@<host_ip>:22 using PRIVATE KEY '/home/ec2-user/.ssh/memdump.pem' DEBUG jsch_group_op-0 [common.pool.GroupJob] - invalid privatekey: [B@29dbb6c8 You can also inspect the private key file in a text editor, and review the header line:
-----BEGIN OPENSSH PRIVATE KEY----- As of OpenSSH version 7.8 (used by RHEL 8.x), this format is now the default format for OpenSSH-related tools like 'ssh-keygen'. Refer to the OpenSSH 7.8 release notes for details.
The solution is to generate your SSH keys in PEM format instead. For example..
ssh-keygen -m PEM -t rsa This should result in the proper key format, which can be confirmed by inspecting the key file in a text editor. The header line should now look like the following:
-----BEGIN RSA PRIVATE KEY----- If the key name has changed since you first specified it in your be-teagent.props file (under $BE_HOME/teagent/configs/), update the be.tea.agent.ssh.privatekey.file property as needed.
Feedback
Yes
No
Powered by
