How to configure SSH key-based authentication between the BE TEA Agent and a BE Worker machine
Article ID: KB0072534
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 5.x, 6.x |
Description
This article is intended to assist users in adding machines in the TEA Server web ui, which will be used to deploy BE applications.
NOTE: For clarity, the following terminology is used in this article:
- BE TEA Agent machine - The machine which runs the BE TEA Agent.
- BE Worker machine - The machine you are attempting to add in the TEA Server web ui for the BusinessEvents product. This machine will be used to run BE applications (as directed in the TEA Server web ui).
To configure SSH key-based authentication, follow the steps shown below.
Environment
All Supported Platforms
Resolution
A successful key-based SSH connection requires the following:
2. Login to the BE Worker machine using the OS-level user described in step 1.
3. Generate a new SSH key for this user. This can be done with the 'ssh-keygen' command (which is supplied with OpenSSH):
This will save the private key under the user's .ssh directory (/home/<be-worker-user>/.ssh/id_rsa) on the BE Worker machine. The public key 'id_rsa.pub' is saved to the same location.
4. Add the public key to the user's ~/.ssh/authorized_keys file, and ensure it has the appropriate Unix permissions (600):
5. Determine the OS-level user who will run the be-teagent process on the BE TEA Agent machine. This is typically the same user who installed the BE TEA Agent on that machine.
6. Copy the private key file from the BE Worker machine to a known location on the BE TEA Agent machine. This location must be readable by the user who will run the be-teagent process. For the purposes of this example, this path is /opt/keys/id_rsa.
7. Login to the BE TEA Agent machine using the OS-level user who will run the be-teagent process (as determined in step 5).
8. Confirm that you can make a successful SSH connection from the BE TEA Agent machine to the BE Worker machine:
..where <be-worker-user> is the username determined in step 1, and <be-worker-ip-address> is the IP address of the BE Worker machine. If this step fails, contact TIBCO Support for further assistance.
9. Once a successful connection is confirmed, edit $BE_HOME/teagent/config/be-teagent.props, and set the location of the copied ssh private key. For example..
10. Start the be-teagent process
You are now configured for SSH key-based (i.e. "password-less") authentication.
- An SSH server running on the BE Worker machine. This is needed so that the BE TEA Agent can make SSH connections to the BE Worker machine and upload the necessary deployment files.
- A private SSH key file to authenticate the user who has installed BusinessEvents on the BE Worker machine.
2. Login to the BE Worker machine using the OS-level user described in step 1.
3. Generate a new SSH key for this user. This can be done with the 'ssh-keygen' command (which is supplied with OpenSSH):
ssh-keygen -m PEM -t rsa
This will save the private key under the user's .ssh directory (/home/<be-worker-user>/.ssh/id_rsa) on the BE Worker machine. The public key 'id_rsa.pub' is saved to the same location.
4. Add the public key to the user's ~/.ssh/authorized_keys file, and ensure it has the appropriate Unix permissions (600):
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
5. Determine the OS-level user who will run the be-teagent process on the BE TEA Agent machine. This is typically the same user who installed the BE TEA Agent on that machine.
6. Copy the private key file from the BE Worker machine to a known location on the BE TEA Agent machine. This location must be readable by the user who will run the be-teagent process. For the purposes of this example, this path is /opt/keys/id_rsa.
7. Login to the BE TEA Agent machine using the OS-level user who will run the be-teagent process (as determined in step 5).
8. Confirm that you can make a successful SSH connection from the BE TEA Agent machine to the BE Worker machine:
ssh -i /opt/keys/id_rsa <be-worker-user>@<be-worker-ip-address>
..where <be-worker-user> is the username determined in step 1, and <be-worker-ip-address> is the IP address of the BE Worker machine. If this step fails, contact TIBCO Support for further assistance.
9. Once a successful connection is confirmed, edit $BE_HOME/teagent/config/be-teagent.props, and set the location of the copied ssh private key. For example..
be.tea.agent.ssh.privatekey.file=/opt/keys/id_rsa
10. Start the be-teagent process
You are now configured for SSH key-based (i.e. "password-less") authentication.
Issue/Introduction
Outlines the steps needed to configure SSH key-based authentication (also known as "password-less authentication") between the BE TEA Agent and a BE Worker machine. This allows you to add BE Worker machines in the TEA Server web ui without having to supply the SSH user's password.
Feedback
Yes
No
Powered by
