Manual Log Correlation Engine Key Exchange

Required User Role: Administrator

You are not normally required to make a manual key exchange between Tenable Security Center and the Log Correlation Engine; however, in some cases where you are prohibited from remote root login or required to do key exchange debugging, you must manually exchange the keys.

For the remote Log Correlation Engine to recognize Tenable Security Center, copy the SSH public key of Tenable Security Center and append it to the /opt/lce/.ssh/authorized_keys file. The /opt/lce/daemons/lce-install-key.sh script performs this function.

Note: The Log Correlation Engine server must have a valid license key installed and the Log Correlation Engine daemon must be running before you perform the steps below.

To perform manual Log Correlation Engine key exchange:

  1. Log in to Tenable Security Center via the user interface.

  2. Download the Tenable Security Center key, as described in Download the Tenable Security Center SSH Key.

  3. Save the file locally as SSHKey.pub.

    Caution: Do not edit the file or save it to any specific file type.

  4. From the workstation where you downloaded the key file, use a secure copy program (e.g., WinSCP) to copy the SSHKey.pub file to the Log Correlation Engine system.

    Note: You must have the credentials of an authorized user on the Log Correlation Engine server to perform this step.

    For example, if you have a user username configured on the Log Correlation Engine server (hostname lceserver) whose home directory is /home/username, the command on a Unix system is as follows:

    # scp SSHKey.pub username@lceserver:/home/username

  5. After you copy the file to the Log Correlation Engine server, in the CLI, run the following command to move the file to /opt/lce/daemons:

    # mv /home/username/SSHKey.pub /opt/lce/daemons

  6. On the Log Correlation Engine server, as the root user, run the following command to change the ownership of the SSH key file to lce:

    # chown lce /opt/lce/daemons/SSHKey.pub

  7. Run the following command to append the SSH public key to the /opt/lce/.ssh/authorized_keys file:

    # su lce
    # /opt/lce/daemons/lce-install-key.sh /opt/lce/daemons/SSHKey.pub

  8. To test the communication, as the user tns on the Tenable Security Center system, attempt to run the id command:

    # su tns
    # ssh -C -o PreferredAuthentications=publickey lce@<LCE-IP> id

    If you have not previously established a connection, a warning appears that is similar to the following:

    The authenticity of host '198.51.100.28 (198.51.100.28)' can't be established.
    RSA key fingerprint is 86:63:b6:c3:b4:3b:ba:96:5c:b6:d4:42:b5:45:37:7f.
    Are you sure you want to continue connecting (yes/no)?

  9. Answer yes to this prompt.

    If the key exchange worked correctly, a message similar to the following appears:

    # uid=251(lce) gid=251(lce) groups=251(lce)

  10. You can add the IP address of Tenable Security Center to the Log Correlation Engine system’s /etc/hosts file. This prevents the SSH daemon from performing a DNS lookup that can add seconds to your query times.

  11. You can add the Log Correlation Engine to Tenable Security Center via the normal administrator process, described in Log Correlation Engines.