This article discusses the creation of a Private key (typically id_rsa) in a JKS keystore for Public-Private Key Authentication. Think of Public-Private Key Authentication like a lock (the Public key on the Telnet Host) and a key for that lock (the Private key used by the telnet client). When you connect with StayLinked using a Private key in a JKS keystore to a Telnet server with a User ID that has the matching Public key in its \"authorized_keys\" file (located in \/root\/.ssh for the root user), it will let the user in without a password.<\/p>\n\n\n\n
Once you create the .jks file, it needs to be placed in the ..\\Stay-Linked folder. It's also very important to set the specific Emulation Properties described below otherwise it will not work. <\/p>\n\n\n\n
Below we describe how to create the JKS Keystore on Linux. Please note the following parameters:<\/p>\n\n\n\n
Manual Creation of JKS KeyStore File<\/strong> Step 1:<\/strong> Use OpenSSH to generate a PEM formatted Public-Private key pair. The following command will generate a 2048-bit RSA Public-Private key pair. You can reduce this to 1024, but we suggest not going any lower. When this command is run, it will ask you to provide an optional passphrase (slpass will be used in our example). <\/p>\n\n\n\n NOTE: If a private key is already provided, this step will be skipped.<\/p>\n\n\n\n NOTE: If a PuTTY ppk file is provided, you can extract the id_rsa from it by following the instructions at the end of the KB article.<\/p>\n\n\n\n NOTE: If you rename the generated id_rsa.pub to authorized_keys that will set the Public key for the ..\/.ssh folder where authorized_keys resides.<\/p>\n\n\n\n Step 2:<\/strong> Use OpenSSL to create a PEM certificate from the Private id_rsa key previously generated. If you are provided a private key other than id_rsa, replace the 'id_rsa' in the following command with the name of the provided key. This step will require the passphrase, if any, for the Private key (slpass in our example). <\/p>\n\n\n\n NOTE: The commands for steps 2 and 3 need to be run in the folder with the id_rsa file.<\/p>\n\n\n\n NOTE: The command will ask for misc. details to go in the PEM cert (these are functionally not important, so Enter can be pressed multiple times).<\/p>\n\n\n\n Step 3:<\/strong> Use OpenSSL to create an encrypted PKCS12 keystore from the Private key and PEM cert. If you are provided the private key, replace the 'id_rsa' with the name of the provided key. <\/p>\n\n\n\n NOTE: If the id_rsa key has a password from step 1 and 2, you will be required to put in the passphrase for the Private key (slpass in our example).<\/p>\n\n\n\n NOTE: You MUST provide a password for the exported PKCS #12 keystore to be used in Step 6 (exppass used in this example).<\/p>\n\n\n\n NOTE: When the PKCS #12 is created, the Private key and PEM cert get added as a Personal Certificate with an Alias of '1'<\/p>\n\n\n\n Step 4:<\/strong> Use java to migrate the PKCS12 keystore to a JKS keystore.<\/p>\n\n\n\n NOTE: You MUST provide a password for the exported JKS keystore to be used in Step 6 (jkspass used in this example).<\/p>\n\n\n\n Step 5: <\/strong>Remove the keystore.jks from the machine that generated it and place it in the root of the StayLinked server folder (..\/stay-linked).<\/p>\n\n\n\n Step 6: <\/strong>In the Administrator, add the following Emulation Properties along with standard SSH properties. These can be found under Emulation Settings -> Telnet Host Groups -> Telnet Host -> Host Entry -> Emulation Properties<\/p>\n\n\n\n NOTE: The file names and passwords do not have to match the example above and will depend on what was done in Step 3 and 4.<\/p>\n\n\n Exporting the Private key from a ppk file<\/strong><\/p>\n This can be done fairly simply using PuTTYgen (PuTTY Key Generator).<\/p>\n In the interface click on \"load\" and load the ppk (PuTTY Private Key) file.<\/p>\n Once it is loaded, click on \"Conversions\" on the top, and \"Export OpenSSH key\". A Private key file that can be used in Step 2 of the above process, Manual Creation of JKS KeyStore File<\/strong>, will be created. NOTE: Do not use \"Export OpenSSH key (force new file format)\", it will not import using the command in Step 2.<\/p>","protected":false},"excerpt":{"rendered":" This article discusses the creation of a Private key (typically id_rsa) in a JKS keystore for Public-Private Key Authentication. Think of Public-Private Key Authentication like a lock (the Public key on the Telnet Host) and a key for that lock (the Private key used by the telnet client). When you…<\/p>\n","protected":false},"author":7,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":[],"ht-kb-category":[25],"ht-kb-tag":[89,88,87,86],"yoast_head":"\n
<\/p>\n\n\nssh-keygen -m PEM -t rsa -b 2048<\/code><\/p>\n\n\n\n openssl req -new -x509 -key id_rsa -out cert.pem -days 365<\/code><\/p>\n\n\n\n openssl pkcs12 -inkey id_rsa -in cert.pem -export -out ks.p12<\/code><\/p>\n\n\n\n keytool -importkeystore -srckeystore ks.p12 -destkeystore keystore.jks<\/code><\/p>\n\n\n\n