Manual Key Exchange with Tenable.sc
A manual key exchange between Tenable.sc and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys.
For the remote LCE to recognize Tenable.sc, you need to copy the SSH public key of Tenable.sc and append it to the
/opt/lce/.ssh/authorized_keys file on the LCE server. The
/opt/lce/daemons/lce-install-key.sh script performs this function.
Note: The LCE server must have a valid license key installed and the LCE daemon must be running before performing the steps below.
To manually exchange the keys with SecurityCenter:
In Tenable.sc, download the Tenable.sc key, as described in Download the Tenable.sc SSH Key in the Tenable.sc User Guide.:
Either DSA or RSA format works for this process.
Save the key file (SSHKey.pub) to your local workstation. Do not edit the file or save it to any specific file type.
From the workstation where you downloaded the key file, use a secure copy program, such as “scp” or “WinSCP” to copy the SSHKey.pub file to the LCE system. You will need to have the credentials of an authorized user on the LCE server to perform this step. For example, if you have a user “bob” configured on the LCE server (hostname “lceserver”) whose home directory is /home/bob, the command on a Linux or Unix system would be as follows:
# scp SSHKey.pub [email protected]:/home/bob
After the file is copied to the LCE server move the file to /opt/lce/daemons by doing the following:
# mv /home/bob/SSHKey.pub /opt/lce/daemons
On the LCE server, as the root user, change the ownership of the SSH key file to ‘lce’ as follows:
# chown lce /opt/lce/daemons/SSHKey.pub
Then append the SSH public key to the “/opt/lce/.ssh/authorized_keys” file with the following steps:
# su lce
# /opt/lce/daemons/lce-install-key.sh /opt/lce/daemons/SSHKey.pub
To test the communication, as the user “tns” on the Tenable.sc system, attempt to run the ‘id’ command:
# su tns
# ssh -C -o PreferredAuthentications=publickey [email protected]<LCE-IP> id
If a connection has not been previously established, you will see a warning similar to the following:
The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established. RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f. Are you sure you want to continue connecting (yes/no)?
Answer “yes” to this prompt.
If the key exchange worked correctly, a message similar to the following will be displayed:
# uid=251(lce) gid=251(lce) groups=251(lce)
The IP address of Tenable.sc can be added to the LCE system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times.
Add the LCE to Tenable.sc, as described in Add a Log Correlation Engine Server in the Tenable.sc User Guide.