...
MettleCI and its associated systems make use of SSH (a form of public key cryptography) to provide secure communications channels between software components running on different hosts. This page provides an outline of the MettleCI-related components which use SSH, and a high-level view of how those components should be configured.
| Info |
|---|
This page assumes you are running MettleCI Workbench on a Unix-based host under a user called |
Files relevant to MettleCI
The misconfiguration of SSH-related files on the DataStage Engine on which you have MettleCI Workbench installed can give rise to various symptoms, most of which are characterised by the failure of one system to form a trusted connection with another. This troubleshooting article describes the general configuration you should adopt for correct SSH operation.
Correct Configuration
Permissions should be…zpage describes the SSH components relevant to MettleCI, and how those components should be configured for successful operation.
| Gliffy | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
MettleCI CLI
MettleCI CLI commands most commonly execute on the MettleCI Agent Host (described here) and communicate with the DataStage Engine to perform build and deployment tasks. Those commands which communicate over SSH (most notably those from the Remote Namespace with the privateKey option) are dependent upon correct configuration of the SSH between these two hosts.
In the diagram above the MettleCI Agent Host (described here) stores a private key file (named client.key in the diagram above) for which the public key equivalent (e.g. client.key.pub) is stored inside the ~/.ssh/authorized_keys file of the user account you are using to execute the MettleCI Workbench - typically mciworkb. This permits SSH connection between the MettleCI Agent Host and your DataStage Engine upon which the MettleCI Workbench is running.
Directory /mciworkb/.ssh
The directory /home/mciworkb/.sshshould have the following properties:
owned by user ownership of
mciworkbhave group ownership of
dstage.have permissions of
700(drwx------)
...
For example:
| Code Block |
|---|
$> ls -ld /home/mciworkb/.ssh
drwx------ 2 mciworkb dstage 144 Feb 16 14:26 .ssh |
These properties can be established with the following commands:
| Code Block |
|---|
$> chown mciworkb:dstage /home/mciworkb/.ssh # Ownership $> chmod 700 /home/mciworkb/.ssh # Permissions |
For example:
| Code Block |
|---|
$> ls -ld /home/mciworkb/.ssh
drwx------ 2 root root 144 Feb 16 14:31 .ssh
$> |
Files within /mciworkb/.ssh
The directory /home/mciworkb/.sshshould have at least two files:contain the file authorized_keys
...
which effectively controls inbound connections from other hosts. It contains the SSH public keys of
...
hosts that are permitted to connect to
...
your DataStage Engine using key-based authentication. This
...
known_hosts - A file containing a list of keys? from known hosts that you have logged into from the server in which the known_hosts file lives.
A file associated with a specific account that contains one or more host keys. Each host key is associated with an SSH server address (IP or hostname) so that the server can be authenticated when a connection is initiated.
the following properties
...
owned by user mciworkb
...
directory may also contain other files such as known_hosts or config which are not required for successful MettleCI operations.
The authorized_keys file should have the following properties:
user ownership of
mciworkbgroup ownership of
dstage.have permissions of
700600(drwxdrw-------)
This can be established with…
| Code Block | ||
|---|---|---|
| ||
$> chown mciworkb:dstage /home/mciworkb/.ssh/authorized_keys # Ownership $> chmod 700600 /home/mciworkb/.ssh/authorized_keys # Permissions |
For example:
| Code Block |
|---|
$> ls -ld /home/mciworkb/.ssh
drwx------ 2 root root 144 Feb 16 14:31 .ssh
$> |
...
| ||
$> ls -ld /home/mciworkb/.ssh/ |
...
authorized_keys
-rw------- 1 mciworkb dstage |
...
1167 Feb 16 14:31 .ssh/ |
...
authorized_ |
...
and
| Code Block |
|---|
$> chmod 600 .ssh/workbench
$> chmod 600 .ssh/workbench.pub
$> chmod 600 .ssh/authorized_keys
$> chmod 600 .ssh/known_hosts
$> chmod 600 .ssh/config |
Solution
(solution, including…
| Code Block |
|---|
$> practical
$> resolution
$> steps |
Related Articles
...
List related articles (with links)
...
Either manually entered, or
...
keys |
Third Party Systems
SSH may also be involved in MettleCI Workbench’s communication with Work Item Management and Git platforms. In these cases you will use a SSH key pair hosted on the DataStage Engine to form this connection. Your DataStage Engine will store a private key file, an example of which (workbench.key) is created in the MettleCI directory (typically /opt/dm/mci) during MettleCI installation. The the public key equivalent (e.g. workbench.key.pub) is supplied to third party systems with which your DataStage engine needs to communicate - most commonly your Git and Work Item Management platforms. You can either use the key pair created for you by the MettleCI installation process (workbench.key / workbench.key.pub, which is a 521-bit ECDSA key) or create your own if your organisation or third party system have specified SSH key requirements. The process varies from tool to tool, so please see the relevant MettleCI documentation for tools relevant to you.
...