Creating new keysets

When you need to establish new trusts, you can create new keysets. This topic provides steps for creating a new keyset.

To create a new keyset

  1. From the SSH Protect menu, click Inventory > SSH Keys.

  2. Click Create New Keyset.

  3. Select how you will be installing the keyset's private key.

    1. Automated installation. Select this option if you are using either an agentless or agent-based discovery for the device. Trust Protection Platform will be able to automatically install the key to the target device.

      1. In the Create new Keyset window, enter the requested information.

        Private keys tab

        NOTE  This table is sorted by Field Name.

        Field Name Description

        Account

        A free-text field where you can enter the account name on the operating system account that the key is created for. This account name is displayed in the key details. You can use this value for filtering keys tied to a particular user's account.

        Object names may not contain the backslash \ or less-than sign < characters. Object names (including their path ancestors in the policy tree) must be fewer than 255 total characters.

        Add Keyset to Folder

        The policy folder where the keyset will be added.

        If your account has the correct permissions on a device this field is optional.

        However, application owners who do not have permissions on a device can add the keyset to a policy folder, and SSH Protect can push the keys to the device. This is a self-service feature that lets application owners to add keys to a device without requiring the application owner to have permissions on the actual device itself. If the user does not have the correct permissions to create the key on the device itself, then this field is required.

        For more information, see Creating a new keyset as an application owner.

        Add to this Device

        A reference field to the device that the key is linked to. The device must already exist in the database before you can select it here.

        Format

        The key format. Options are OpenSSH, SSH2 (Tectia), and PuTTY. For more information about SSH2, see Support for SSH Tectia 4.x, 5.x, and 6.x

        Key Path

        Path where the key is stored, including the key name. For example, /home/alice/.ssh/id_rsa.

        Key Type

        Select if this is a host or a client key type.

        Passphrase

        An optional level of security you can add to protect the keyset.
      2. Click Create keyset.

    2. Manual installation. Select this option if you are not able to use an agentless or agent-based discovery tool to automatically install the key. In this case, you will need to manually download, transfer, and install the key to the desired device.

      1. In the Create new Keyset window, enter the requested information.

        Field Name Description
        Location Enter the computer, hostname, or other identifying location.
        Owner Select the identity of the keyset owner. This may be an individual or a group.
        In addition[...] Enter an e-mail address to use as a secondary identity for sending status updates.
        Folder Select the folder in Trust Protection Platform to store the keyset.
        Notes Enter any additional notes you want to make about this keyset.
      2. Click Create keyset.
      3. Optionally, you can Download the Private Key.

  4. Select one of the following options:

    • Add an authorized key (recommended).

      If you created the private key using the Automatic Installation option, you can create the authorized key using either the Manual Installation or Automatic Installation provisioning method. If you created the private key using the Manual Installation option, you must use the Automatic Installation option to create the authorized key. See the information above for details on manual vs automatic key creation.

    • If you created the authorized key manually, you will be able to Download it. To download:

      Select the key format, and (optionally) enter a passphrase, then click Download. The private key (or Tectia header) will be downloaded to your local machine.

      If you download the Tectia Header, you also need to download the SSH2 (Tectia) Key. You then need to rename the header file to authorization and edit the file to specify the absolute path of the key file. So you would have, for example two files:

      • /home/user/.ssh/<key-file-name>
      • /home/usr/.ssh/authorization

      The file permissions for both of these files should be -rw as shown in the following example screen shot:

      NOTE  You can only download private keys if you are either the owner of the private key, or if you have the Read Private Key permission to the key's folder.

      You also have the option of adding additional authorized keys in the wizard.

    • I am done.

      Click this option to exit without creating an authorized key and without downloading the private key.