How to configure TADDM to use public / private key authentication

When the TADDM application is installed on a Windows server and you need to use public / private key authentication to connect to Unix / Linux clients, you can use the following procedure to configure and test the authentication process.


Step 1: Generate the public / private key pair on a Unix / Linux client.

Login to the Unix / Linux client as the user that will be running the TADDM discovery, in this example the user is called “taddm”. OpenSSH was installed on this Linux server

Execute the following command to generate the key pair:

ssh-keygen –t dsa

Generating public/private dsa key pair.

Enter file in which to save key (/home/taddm/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):<password>

Enter same passphrase again:<password>

Your identification has been saved in /home/taddm/.ssh_id_dsa.

Your public key has been saved in /home/taddm/.ssh/

The key fingerprint is:


Change directory to

cd /home/taddm/.ssh

There are two file in this directory, id_dsa and

Copy the public key to the authorized keys file

cp authorized_keys

Copy the private key to your windows system

Make sure the .ssh folders permissions are set to 700 and the authorized_keys file permissions are set to 600

Step 2: Modify sshd_config on the Unix/Linux client


Modify the /etc/ssh/sshd_config file to contain the following:

RSAAuthentication no

PubkeyAuthentication yes

Restart the OpenSSH daemon:

/etc/init.d/ssh restart

Step 3: Configuring TADDM to use the generated keys.


The id_dsa key that you copied to the Windows TADDM server needs to be placed in a “.ssh” directory for the user that started the TADDM server. If you are unsure of the correct directory use Step 5 to test the SSH connection, in the output it will display the directory where it expects to find the key.

For example if the user that started the TADDM server is the Administrator then you need to create the “.ssh” directory in the “C:Documents and SettingsAdministrator” folder.

In a command window execute the following command

cd C:Documents and SettingsAdministrator

mkdir “.ssh”

Copy the id_dsa key into this directory.

Step 4: Setting up the TADDM access list to use the keys when discovering the Unix / Linux server

Click the Access List under the Discovery tab.

Click the Add button to add a new access type.

Component type should be set to Computer System

Enter a name for the account

Enter the user name “taddm” in this example

Enter the passphrase that you used when generating the public/private keys.

Enter the passphrase in the Confirm Password box.

Authentication Type should be set to Default.

On the Scope Limitations tab limit the scope to the scope containing the Unix / Linux clients.

Step 5: Test the SSH connection to the Linux server using the TADDM testssh.bat script


Open a command shell on the TADDM server, change to the directory where TADDM support tools are installed, in this example it is C:ibmcmdbdistsupportbin>

Issue the following command:

testssh.bat -u <taddm administrator> -p <password> <target server> <command>

If the taddm console user is administrator and password is collation, to run “ls –al” on the server using the taddm access lists, the command would be:

testssh.bat -u administrator -p collation “ls -al”

This will provide debug information for the command and should return a list of the files in the “taddm” user home directory

Step 6: Additional – Setting taddm user on linux to use sudo


To test the taddm user on linux  using sudo, you need to use the visudo command

Examples sudo entries to include

taddm ALL=NOPASSWD: /usr/sbin/lsof, /bin/netstat, /usr/sbin/ethtool

You also need to add the above commands to the collation.propeties to ensure it uses the sudo command when running them, file is in C:ibmcmdbdistetc directory. lsof

Views: 404