Skip to main content

Managing Agentless Management Keys

Key Manager sets up unique management keys (also called internal keys) on all agentless hosts after the host is added to the managed environment. On all agentless hosts, the management key is used by Key Manager for establishing management connections to the host.

Management keys are displayed on the User keys→Authorized keys page (along with other authorized keys). To only display management keys, set the filter Is internal key to Yes.

You can list all the management keys via the command-line client using the list-authorized-keys command:

$ ssh-mgr-client list-authorized-keys -F "is_internal_key=True"

Key Manager provides the following functionality for improving the security of management keys:

  • Setting allow-from options to management keys.

  • Management-key renewal.

For more information about other key actions, see Managing the SSH Key Environment.

Setting Allow-From Options to Management Keys

Management keys on agentless hosts should only authorize Key Manager back ends to access the host. Access from other locations should be disabled for added security.

To only allow access from Key Manager back ends only, set allow-from options to the management keys. To do this via the GUI:

  1. On the Settings→General→Host page, set the Use allow-from options in management keys to Yes.

    When Use allow-from options in management keys is checked, all known IP addresses and FQDNs that belong to a Key Manager back end are added to the allow-from options of all management keys.

  2. Optional: In certain situations, the outward-facing address of a Key Manager back end (the address of the Key Manager back end as perceived by the agentless hosts) may differ from the IP and FQDN addresses specified for the back end. This can happen, for example, when the back end accesses agentless hosts via NAT or proxy servers. In such situations, you must specify the outward-facing addresses in the Additional allow-from addresses setting to enable management connections.

    In the Additional allow-from addresses for management keys setting, You can specify additional addresses from which the management keys can be used from. IP (IPv4) and FQDN addresses are both supported. When specifying multiple addresses, separate each value with a comma, without whitespaces. For example:

    192.0.2.80,proxy01.example.com,192.0.2.121

Subsequently created management keys are generated according to the new settings.

Additional allow-from addresses for management keys can be set via the command-line client as well, using the set-global-setting command (described in set-global-setting):

$ ssh-mgr-client set-global-setting \
-d category=host,name=use_management_key_allow_from,value=True
$ ssh-mgr-client set-global-setting \
-d category=host,name=additional_allow_from,value=192.0.2.80,backend.example.com
note

Allow-from options are not automatically updated to existing management keys. You must renew the existing management keys to apply the new allow-from settings to them. For instructions about renewing management keys, see Renewing Management Keys.

Renewing Management Keys

Management keys must be renewed before new settings are applied to them. Situations where you need to renew management keys include the following:

  • You have modified Key Manager settings related to management keys, such as enabed or disabed allowfrom options for management keys.

  • You have added a new Key Manager back end to the Key Manager system, and management keys have been set with allow-from restrictions. You must renew your existing management keys to allow the new Key Manager back end to connect to agentless hosts.

  • Management keys, like all types of credentials, should be renewed regularly to improve system security.

To renew the management keys for selected hosts via the GUI:

  1. If you have configured Key Manager to use agentless management keys from HSM, you must select the management key that is to replace the existing management key(s). Skip this step if you have not configured HSM for Key Manager.

    On the Settings→General→HSM page, specify the Default PKCS11 key fingerprint to select the new management key. Upon subsequent management-key renewals, the authorized key with the given fingerprint shall be set as the new management key.

  2. On the Hosts page, perform a Renew Management Key action on all the hosts where you want to renew the management key.

    Key Manager launches jobs to renew the management keys on the selected hosts. Renewing management keys does not affect management tasks that are currently running on the selected hosts.

You can also renew management keys via the command-line client, using the renew-management-key command (described in renew-management-keys):

$ ssh-mgr-client renew-management-keys -F "hostname=server.example.com"