Chapter 8. Generating a cryptographic key pair

To ensure secure data transmission between the Red Hat Update Appliance (RHUA), content delivery system (CDS), and HAProxy nodes, and to use rhui-manager to set up those nodes, you must generate a key pair on the RHUA node and copy the public key to CDS and HAProxy nodes.

You can generate either an RSA or an ECDSA key, depending on your use case.

8.1. Generating an RSA key pair

The following steps explain how to generate an RSA key pair for version 2 of the SSH protocol.

Procedure

  1. On the RHUA node, run the ssh-keygen command with the RSA argument, and save the key in the default location.

    Warning

    Leave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair. 

    $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_rsa):
Created directory '/home/USER/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USER/.ssh/id_rsa.
Your public key has been saved in /home/USER/.ssh/id_rsa.pub.
The key fingerprint is:
e7:97:c7:e2:0e:f9:0e:fc:c4:d7:cb:e5:31:11:92:14 USER@rhua.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|             E.  |
|            . .  |
|             o . |
|              . .|
|        S .    . |
|         + o o ..|
|          * * +oo|
|           O +..=|
|           o*  o.|
+-----------------+

  2. Confirm that the permissions for the ~/.ssh/ directory are set to rwx------, or 700 in octal notation. 

    $ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/

  3. Copy the public key to the CDS and HAProxy nodes. 

    $ ssh-copy-id user@<haproxy1>
$ ssh-copy-id user@<cds1>
$ ssh-copy-id user@<cds2>

8.2. Generating an ecdsa key pair

The following steps explain how to generate an ECDSA key pair for version 2 of the SSH protocol.

Procedure

  1. On the RHUA node, run the ssh-keygen command with the ECDSA argument, and save the key in the default location.

    Warning

    Leave the passphrase field blank. CDS installation and registration fails if you provide a passphrase while generating the key pair. 

    $ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/USER/.ssh/id_ecdsa):
Created directory '/home/USER/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USER/.ssh/id_ecdsa.
Your public key has been saved in /home/USER/.ssh/id_ecdsa.pub.
The key fingerprint is:
fd:1d:ca:10:52:96:21:43:7e:bd:4c:fc:5b:35:6b:63 USER@rhua.example.com
The key's randomart image is:
+--[ECDSA  256]---+
|       .+ +o     |
|       . =.o     |
|        o o +  ..|
|         + + o  +|
|        S o o oE.|
|           + oo+.|
|            + o  |
|                 |
|                 |
+-----------------+

  2. Confirm that the permissions for the ~/.ssh/ directory are set to rwx------, or 700 in octal notation. 

    $ ls -ld ~/.ssh
drwx------. 2 USER USER 54 Nov 25 16:56 /home/USER/.ssh/

  3. Copy the public key to the CDS and HAProxy nodes. 

    $ ssh-copy-id user@<haproxy1>
$ ssh-copy-id user@<cds1>
$ ssh-copy-id user@<cds2>