Recently Viewed Topics
Manual LCE Key Exchange
You are not normally required to make a manual key exchange between SecurityCenter and the LCE; however, in some cases where you are prohibited from remote root login or required to do key exchange debugging , you must manually exchange the keys.
For the remote LCE to recognize SecurityCenter, copy the SSH public key of SecurityCenter and append it to the /opt/lce/.ssh/authorized_keys file. The
/opt/lce/daemons/lce-install-key.sh script performs this function.
Note: The LCE server must have a valid license key installed and the LCE daemon must be running before you perform the steps below.
To perform manual LCE key exchange:
Log in to SecurityCenter as an administrator user.
- Download the SecurityCenter key, as described in Download the SecurityCenter SSH Key.
- Save the file locally as SSHKey.pub.
Caution: Do not edit the file or save it to any specific file type.
From the workstation where you downloaded the key file, use a secure copy program (e.g., WinSCP) to copy the SSHKey.pub file to the LCE system.
Note: You must have the credentials of an authorized user on the LCE server to perform this step.
For example, if you have a user bob configured on the LCE server (hostname lceserver) whose home directory is /home/bob, the command on a Unix system is as follows:
# scp SSHKey.pub bob@lceserver:/home/bob
After you copy the file to the LCE server, move the file to /opt/lce/daemons:
# mv /home/bob/SSHKey.pub /opt/lce/daemons
On the LCE server, as the root user, change the ownership of the SSH key file to lce:
# chown lce /opt/lce/daemons/SSHKey.pub
Append the SSH public key to the /opt/lce/.ssh/authorized_keys file with the following steps:
# su lce
# /opt/lce/daemons/lce-install-key.sh /opt/lce/daemons/SSHKey.pub
To test the communication, as the user tns on the SecurityCenter system, attempt to run the id command:
# su tns
# ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id
If you have not previously established a connection, a warning appears that is similar to the following:
The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established.
RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
Are you sure you want to continue connecting (yes/no)?
- Answer yes to this prompt.
If the key exchange worked correctly, a message similar to the following appears:
# uid=251(lce) gid=251(lce) groups=251(lce)
- You can add the IP address of SecurityCenter to the LCE system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times.
- You can add the LCE to SecurityCenter via the normal administrator process, described in Log Correlation Engines.