SSH Connector
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
The SSH connector is an implementation of the Scripted Groovy Connector Toolkit, and is based on Java Secure Channel (JSch) and the Java implementation of the Expect library (Expect4j). This connector enables you to interact with any SSH server, using Groovy scripts for the ICF operations.
The SSH connector is a poolable connector. This means that each connector instance is placed into a connection pool every time an action is completed. Subsequent actions can re-use connector instances from the connector pool. When a new connector instance is created, a new SSH client connection is created against the target SSH server. This SSH connection remains open as long as the connector instance is in the connection pool. Note that when a new action is performed, it finds the SSH connection in the exact state that it was left by the previous action.
The following image shows the relationship between SSH connector instances and SSH connections to the target server:
Configuring Authentication to the SSH Server
The SSH connector authenticates to the SSH server using either a login/password or a public/private key. The authentication method is specified in the authenticationType
property in the connector configuration file (conf/provisioner.openicf-ssh.json
).
- Authenticating with a login and password
To authenticate with a login and password, set the
authenticationType
toPASSWORD
in the connector configuration file, and set auser
andpassword
. For example:"configurationProperties" : { ... "authenticationType" : "PASSWORD", "user" : "<USERNAME>", "password" : "<PASSWORD>", ...
The password is encrypted when IDM loads the provisioner file.
- Authenticating with a passphrase and private key
To authenticate with a secure certificate, generate a pair of public/private keys. Install the public key on the server side and the private key on the IDM host (where the connector is located). Set the
authenticationType
toPUBKEY
in the connector configuration file and set theuser
,password
,passphrase
andprivateKey
properties. For example:"configurationProperties" : { ... "authenticationType" : "PUBKEY", "user" : "<USERNAME>", "password" : "<PASSWORD>", "passphrase" : "secret", "privateKey" : ["-----BEGIN DSA PRIVATE KEY-----", "MIIBugIBAAKBgQDcB0ztVMCFptpJhqlLNZSdN/5cDL3S7aOVy52Ae7vwwCqQPCQr", "6NyUk+wtkDr07NlYd3sg7a9hbsEnlYChsuX+/WUIvbOKdMfeqcQ+jKK26YdkTCGj", "g86dBj9JYhobSHDoQ9ov31pYN/cfW5BAZwkm9TdpEjHPvMIaOxx7GPGKWwIVALbD", "CEuf1yJk9UB7v0dmJS7bKkbxAoGARcbAuDP4rB6MsgAAkVwf+1sHXEiGPShYWrVV", "qBgCZ/S45ELqUuiaN/1N/nip/Cc/0SBPKqwl7o50CUg9GH9kTAjmXiwmbkwvtUv+", "Xjn5vCHS0w18yc3rGwyr2wj+D9KtDLFJ8+T5HmsbPoDQ3mIZ9xPmRQuRFfVMd9wr", "DY0Rs7cCgYAxjGjWDSKThowsvOUCiE0ySz6tWggHH3LTrS4Mfh2t0tnbUfrXq2cw", "3CN+T6brgnpYbyX5XI17p859C+cw90MD8N6vvBxaN8QMDRFk+hHNUeSy8gXeem9x", "O0vdIxCgKvA4dh5nSVb5VGKENEGNEHRlYxEPzbqlPa/C/ZvzIvdKXQIUQMoidPFC", "n9z+mE2dAADnPf2m9vk=", "-----END DSA PRIVATE KEY-----" ], ...
The default value for the
passphrase
property isnull
. If you do not set a passphrase for the private key, the passphrase value must be equal to an empty string.You must set a value for the
password
property, because the connector uses sudo to perform actions on the SSH server.The private key (PEM certificate) must be defined as a JSON String array.
The values of the
passphrase
,password
andprivateKey
are encrypted when IDM loads the provisioner file.
Configuring the SSH Connector
IDM provides a sample connector configuration (provisioner.openicf-ssh.json
) in the /path/to/openidm/samples/ssh/conf/
directory. You can copy the sample connector configuration to your project's conf/
directory, and adjust it to match your Kerberos environment.
Set the authentication properties, as described in "Configuring Authentication to the SSH Server". In addition, set at least the following properties:
host
Specify the hostname or IP address of the SSH server.
port
Set the port on which the SSH server listens.
Default:
22
user
The username of the account that connects to the SSH server.
This account must be able to
ssh
into the server, with the password provided in the next parameter.password
The password of the account that is used to connect to the SSH server.
prompt
A string representing the remote SSH session prompt. This must be the exact prompt string, in the format
username@target:
, for exampleadmin@myserver:~$
. Include any trailing spaces.
The following list describes the configuration properties of the SSH connector shown in the sample connector configuration file. You can generally use the defaults provided in the sample connector configuration file, in most cases. For a complete list of all the configuration properties of the SSH connector, see "Configuration properties".
sudoCommand
A string that shows the full path to the sudo command, for example
/usr/bin/sudo
.echoOff
If set to
true
(the default), the input command echo is disabled. If set tofalse
, every character that is sent to the server is sent back to the client in theexpect()
call.terminalType
Sets the terminal type to use for the session. The list of supported types is determined by your Linux/UNIX system. For more information, see the
terminfo
manual page (man terminfo).Default:
vt102
setLocale
If set to
true
, indicates that the default environment locale should be changed to the value of thelocale
property.Default:
false
locale
Sets the locale for the LC_ALL, LANG and LANGUAGE environment variables, if
setLocale
is set totrue
.Default:
en_US.utf8
connectionTimeout
Specifies the connection timeout to the remote server, in milliseconds.
Default:
5000
expectTimeout
Specifies the timeout used by the
expect()
calls in scripts, in milliseconds.Default:
5000
authenticationType
Sets the authentication type, either
PASSWORD
orPUBKEY
. For more information, see "Configuring Authentication to the SSH Server".Default:
PASSWORD
throwOperationTimeoutException
If
true
, the connector throws an exception when theexpectTimeout
is reached for an operation. Otherwise, the operation fails silently.Default:
true
scriptRoots
The path to the Groovy scripts that will perform the ICF operations, relative to your IDM installation directory. The sample connector configuration expects the scripts in
project-dir/tools
, so this parameter is set to&{idm.instance.dir}/tools
in the sample configuration.classpath
The directory in which the compiler should look for compiled classes. The default classpath, if not is specified, is
install-dir/lib
.*ScriptFileName
The name of the Groovy script that is used for each ICF operation.
OpenICF Interfaces Implemented by the SSH Connector
The SSH Connector implements the following OpenICF interfaces.
- Authenticate
Provides simple authentication with two parameters, presumed to be a user name and password.
- Create
Creates an object and its
uid
.- Delete
Deletes an object, referenced by its
uid
.- Resolve Username
Resolves an object by its username and returns the
uid
of the object.- Schema
Describes the object types, operations, and options that the connector supports.
- Script on Connector
Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics:
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.The script has access to any script-arguments passed in by the application.
- Script on Resource
Runs a script on the target resource that is managed by this connector.
- Search
Searches the target resource for all objects that match the specified object class and filter.
- Sync
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
- Test
Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
Updates (modifies or replaces) objects on a target resource.
SSH Connector Configuration
The SSH Connector has the following configurable properties.
Configuration properties
Property | Type | Default | Encrypted [a] | Required [b] | ||
---|---|---|---|---|---|---|
customSensitiveConfiguration | GuardedString | null | ||||
Description is not available | ||||||
| ||||||
createScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
targetDirectory | File | null | ||||
Description is not available | ||||||
| ||||||
customizerScriptFileName | String | null | ||||
Description is not available | ||||||
| ||||||
warningLevel | int | 1 | ||||
Description is not available | ||||||
| ||||||
authenticateScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
scriptExtensions | String[] | ['groovy'] | ||||
Description is not available | ||||||
| ||||||
scriptOnResourceScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
minimumRecompilationInterval | int | 100 | ||||
Description is not available | ||||||
| ||||||
deleteScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
scriptBaseClass | String | null | ||||
Description is not available | ||||||
| ||||||
scriptRoots | String[] | null | ||||
Description is not available | ||||||
| ||||||
customConfiguration | String | null | ||||
Description is not available | ||||||
| ||||||
resolveUsernameScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
searchScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
tolerance | int | 10 | ||||
Description is not available | ||||||
| ||||||
updateScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
debug | boolean | false | ||||
Description is not available | ||||||
| ||||||
classpath | String[] | [] | ||||
Description is not available | ||||||
| ||||||
disabledGlobalASTTransformations | String[] | null | ||||
Description is not available | ||||||
| ||||||
schemaScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
verbose | boolean | false | ||||
Description is not available | ||||||
| ||||||
testScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
sourceEncoding | String | UTF-8 | ||||
Description is not available | ||||||
| ||||||
syncScriptFileName | String | null |
| |||
Description is not available | ||||||
| ||||||
recompileGroovySource | boolean | false | ||||
Description is not available | ||||||
| ||||||
[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM. [b] A list of operations in this column indicates that the property is required for those operations. |
Basic Configuration Properties
Property | Type | Default | Encrypted [a] | Required [b] |
---|---|---|---|---|
host | String | null | ||
The hostname to connect to | ||||
| ||||
port | int | 22 | ||
TCP port to use (defaults to 22) | ||||
| ||||
user | String | null | ||
The user name used to login to remote server | ||||
| ||||
password | GuardedString | null | ||
The password used to login to remote server | ||||
| ||||
passphrase | GuardedString | null | ||
The passphrase used to read the private key when using Public Key authentication | ||||
| ||||
privateKey | String[] | [] | ||
The base 64 encoded value (PEM) of the private key used for Public Key authentication | ||||
| ||||
authenticationType | String | PASSWORD | ||
Defines which authentication type should be use: PASSWORD or PUBKEY (defaults to PASSWORD) | ||||
| ||||
prompt | String | root@localhost:# | ||
A string representing the remote SSH session prompt (defaults to root@localhost:# ) | ||||
| ||||
sudoCommand | String | /usr/bin/sudo | ||
A string representing the sudo command (defaults to /usr/bin/sudo) | ||||
| ||||
echoOff | boolean | true | ||
Disable the input command echo (default to true) | ||||
| ||||
terminalType | String | vt102 | ||
Defines the terminal type to use for the session (default to vt102) | ||||
| ||||
locale | String | en_US.utf8 | ||
Define the locale for LC_ALL, LANG and LANGUAGE environment variables to use if setLocale=true | ||||
| ||||
setLocale | boolean | false | ||
Defines if the default environment locale should be changed with the value provided for locale (defaults to false) | ||||
| ||||
connectionTimeout | int | 5000 | ||
Defines the connection timeout to the remote server in milliseconds (default to 5000) | ||||
| ||||
expectTimeout | long | 5000 | ||
Defines the timeout used by the expect() calls in the scripts in milliseconds (default to 5000) | ||||
| ||||
throwOperationTimeoutException | boolean | true | ||
Defines if an OperationTimeoutException should be thrown if any call to expect times out (defaults to true) | ||||
| ||||
promptReadyTimeout | long | 20 | ||
Defines the "prompt ready" timeout for the promptReady() command in milliseconds (default to 20) | ||||
| ||||
[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM. [b] A list of operations in this column indicates that the property is required for those operations. |