Configure SSH-based features

This topic describes how to configure FIPS-compliant mode and SSH key fingerprints for SSH-based plugins.

Overview

You can configure SSH-based CPM plugins to work in FIPS-compliant mode or you can temporarily change SSH key fingerprint settings for the following plugin types:

TPC-based plugins, for more information about creating TPC plugins, see Terminal Plugin Controller
Private SSH Keys, for more information, see Private SSH Key
SSH Keys, for more information, see SSH Keys
Password files (configuration files), for more information, see Configuration files
RSA authentication manager, for more information, see RSA Authentication Manager

Configure FIPS-compliant mode

In the bin folder on the CPM server, create a file called ExpectConfiguration.ini with the following content:

RunInFIPSCompliantMode=Yes

Configure SSH library

In the bin folder on the CPM server, create a file called ExpectConfiguration.ini with the following content, or add to an existing ExpectConfiguration.ini file the following content:

SshLibrary=Rebex

The Rebex configuration supports RHEL 8.4 and Fedora 35 with the default crypto policies.
The default crypto policies on a Cisco target must be changed in order to work with the Rebex configuration:
- Change the diffie-hellman-group1-sha1 key exchange algorithm to a supported algorithm. See Supported SSH algorithms for Rebex for more information.
- The RSA key must be at least a 1024-bit key.

SSH Fingerprints

When connecting over SSH, as a security measure, the target's fingerprint is stored for future logins. This fingerprint identifies the target machine as a valid target. While running an action, if a different fingerprint is detected, the connection will fail.

If the different fingerprint is valid, and you want to successfully connect to the target without getting an error, you can temporarily override the stored fingerprint. This updates the stored fingerprint to the new target's fingerprint.

Enable or disable a platform to override a fingerprint

In the PVWA, select Adminstration > Platform Management.
Edit the Platform settings: Select the platform, click on the right side of the screen, and select Edit.
Under Automatic Password Management > Additional Policy Settings, right-click Parameters, and select Add Parameter.

Add the following parameter:

Parameter	Description
StoreKeyinCache	A security feature that stores the target's fingerprint in the cache. If the target changes, the fingerprint returned from the target will not match the fingerprint stored in the cache and the plugin connection fails. Default value: Yes (if implemented by the TPC or the plugin) Mandatory: No

Parameter

Description

StoreKeyinCache

A security feature that stores the target's fingerprint in the cache. If the target changes, the fingerprint returned from the target will not match the fingerprint stored in the cache and the plugin connection fails.

Default value: Yes (if implemented by the TPC or the plugin)

Mandatory: No

Click OK.

Temporarily override a target's fingerprint

While running an action, if a different fingerprint is detected, the connection will fail. If you want to successfully connect to a target without getting an error, you can temporarily override the stored fingerprint. This updates the stored fingerprint to the new target's fingerprint.

To temporarily override a target's fingerprint:

In the account properties, set the following parameter to Yes.

Parameter	Description
OverrideOnInvalidKeyInCache	Overrides the fingerprint validation and successfully connects to the target. The fingerprint stored in cache is updated with the new target's fingerprint. Default value: No Mandatory: No

Parameter

Description

OverrideOnInvalidKeyInCache

Overrides the fingerprint validation and successfully connects to the target. The fingerprint stored in cache is updated with the new target's fingerprint.

Default value: No

Mandatory: No

Run Reconcile.
Return the account back to a secure state. In the account properties, set OverrideOnInvalidKeyInCache to No.