TOC & Recently Viewed

Recently Viewed Topics

Manual LCE Key Exchange

You are not normally required to make a manual key exchange between SecurityCenter and the LCE; however, in some cases where you are prohibited from remote root login or required to do key exchange debugging , you must manually exchange the keys.

For the remote LCE to recognize SecurityCenter, copy the SSH public key of SecurityCenter and append it to the /opt/lce/.ssh/authorized_keys file. The /opt/lce/daemons/lce-install-key.sh script performs this function.

Note: The LCE server must have a valid license key installed and the LCE daemon must be running before you perform the steps below.

To perform manual LCE key exchange:

  1. Log in to SecurityCenter as an administrator user.

  2. Download the SecurityCenter key, as described in Download the SecurityCenter SSH Key.
  3. Save the file locally as SSHKey.pub.

    Caution: Do not edit the file or save it to any specific file type.

  4. From the workstation where you downloaded the key file, use a secure copy program (e.g., WinSCP) to copy the SSHKey.pub file to the LCE system.

    Note: You must have the credentials of an authorized user on the LCE server to perform this step.

    For example, if you have a user bob configured on the LCE server (hostname lceserver) whose home directory is /home/bob, the command on a Unix system is as follows:

    # scp SSHKey.pub bob@lceserver:/home/bob

  5. After you copy the file to the LCE server, move the file to /opt/lce/daemons:

    # mv /home/bob/SSHKey.pub /opt/lce/daemons

  6. On the LCE server, as the root user, change the ownership of the SSH key file to lce:

    # chown lce /opt/lce/daemons/SSHKey.pub

  7. Append the SSH public key to the /opt/lce/.ssh/authorized_keys file with the following steps:

    # su lce
    # /opt/lce/daemons/lce-install-key.sh /opt/lce/daemons/SSHKey.pub

  8. To test the communication, as the user tns on the SecurityCenter system, attempt to run the id command:

    # su tns
    # ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id

    If you have not previously established a connection, a warning appears that is similar to the following:

    The authenticity of host '192.168.15.82 (192.168.15.82)' can't be established.
    RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
    Are you sure you want to continue connecting (yes/no)?

  9. Answer yes to this prompt.

    If the key exchange worked correctly, a message similar to the following appears:

    # uid=251(lce) gid=251(lce) groups=251(lce)

  10. You can add the IP address of SecurityCenter to the LCE system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times.
  11. You can add the LCE to SecurityCenter via the normal administrator process, described in Log Correlation Engines.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.