...
The following instructions describe setting up a secure tunnel via SSH to the internal UCONN database's. There are multiple connection methods described below. Please follow the method best suited for your operating system and configuration.
MAC OS X ("Mountain" Lion 10.8 or Higher)
...
Configure SSH Access
...
Please follow these instructions to configure Mac OS X to work properly with UCONN's SSH requirements. Ensure you have submitted a formal request for a UITS admin to add you to the UConn Gateway Server.
Acquire Kerberos Ticket
...
Getting a Kerberos Ticket using Ticket Viewer app
...
- Enter the command kinit <netid>@UCONN.EDU
- Enter your password when prompted
- Enter the command klist to verify your ticket was created successfully, similar to the below screen
Creating the Database Tunnel
...
Terminal Method
...
- Acquire a Kerberos ticket by either using the Terminal or the Ticket Viewer app
Connect to non-production databases (DEV, UAT) using
- ssh -fNL 1522:dbserver02.uits.uconn.edu:1521 <yournetid>@gateway.uits.uconn.edu
Connect to production database (PRD) using
- ssh -fNL 1521:dbserver01.uits.uconn.edu:1521 <yournetid>@gateway.uits.uconn.edu
Application Method
...
There are various GUI applications for creating SSH tunnels on OS X. SSH TUNNEL MANAGER and FUGU SSH are both supported.
SSH Tunnel Manager
FUGU SSH
Network Identity Manager / Putty Method:
...
Windows (Windows 7 and higher)
Ensure you have submitted a formal request for a UITS admin to add you to the UConn Gateway Server.
Configure MIT Kerberos for WIndows
- Download and install the latest MIT kerberos.
- Configure user account in Kerberos and create a ticket.
- Follow the instructions on the Centrify help document to configure Putty - Document is part of the downlaod package.
- Start the Putty session from Start up -> Centrify -> Putty
- type 'gateway.uits.uconn.edu' into the hostname field
- select the Connection -> SSH -> Kerberos from the categories on the left hand side and enable "Attempt Kerberos Auth"
- Enter <netid>@UCONN.EDU Service Principal Name section.
- Under Auto-Login, select third radio - User name portion of user principal name
- <SET UP THE TUNNEL>
- Select the Sessions category from the left hand side
- Type a meaningful name such as 'gateway server' into the saved sessions text field
- click the save button
SSH shared keys / Putty Method:
http://www.howtoforge.com/ssh_key_based_logins_putty
- Download Putty: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe and save it to somewhere where you can access it
- Download PuttyGen: http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe and save it to somewhere you can access it
- Run PuttyGen.exe
- click the 'Generate' button
- move the mouse around in the window until the progress bar is complete (puttygen uses this to make the key random, this isn't a joke)
- click the 'Save public key' button, and ignore the warning about the keyphrase (what do we click to ignore it?) save the file somewhere handy, name it 'public'
- click the 'Save private key' button, save the file in the same location as the private key, name it 'private'
- Send an email to Mitch and Jim with the subject 'putty public key' and attach the 'public' file that we saved two steps prior
- close 'PuttyGen.exe'
- open 'Putty.exe'
- type 'gateway.uits.uconn.edu' into the hostname field
- select the SSH -> Data from the categories on the left hand side
- type your netid (is this true for the gateway server?) into the 'Auto login user' field
- select SSH -> Auth from the categories on the left hand side
- click the 'Browse' button to the right of the 'Private key file for authentication' field
- Select the file named private that was saved in one of the previous steps
- <SET UP THE TUNNEL>
- Select the Sessions category from the left hand side
- Type a meaningful name such as 'gateway server' into the saved sessions text field
- click the save button
<SET UP THE TUNNEL> Putty
...
- in putty select tunnel from the category list from the left hand side "Connection -> SSH -> Tunnels"
- In source port type 1521
- in Destination type:
- dbserver02.uits.uconn.edu:1521 (For non-production)
- dbserver01.uits.uconn.edu:1521 (For production)
- click the 'add' button
Usernames and passwords
For usernames and passwords please contact james.gedarovich@uconn.edu
Environment Connection Parameters
...
UAT_KFS,
UAT_KR
...
Server: dbserver02.uits.uconn.edu:1521
SID: kfs40cf
...
DEV_,
DEV_
...
- latest MIT Kerberos for Windows - Use .msi if available
- Choose "Typical Installation"
- Once the client is installed, open it and choose "Get Ticket". Enter your <netid>@UCONN.EDU and password to create a ticket.
Configure PUTTY to create Tunnel(s)
PUTTY is an SSH client that can create secure tunnels into remote systems. It is used to create tunnels to the UCONN database servers via the Gateway Server.
- Download the latest version of PUTTY for Windows
- Choose the version "A Windows Installer for everything except PuttyTel" (you will need the PuttyGen tool)
- Use the PUTTYGen tool to create an SSH key for your system (including moving your mouse when instructed to randomize the key)
- Place a request to a UITS admin to grant you access to the Gateway server so you can create tunnels using a proxy
- Set up a Saved Session with tunnels in PUTTY
- Ensure your SSH settings are correct
- Expand the SSH tab
- Configure the security settings for SSH version 2.
- Configure GSSAPI settings as ENABLED for SSH-2
- Configure your tunnels
- Tunnels should use a local port of 1521 or 152(X) if you have multiple tunnels set up (ex: both dbserver01 and dbserver02) remote port is 1521.
- "destination" will be dbserver02.uits.uconn.edu for non-production systems and dbserver01.uits.uconn.edu for production
- Once create, these tunnels should be saved in your PUTTY profile.
Edit the Kerberos configuration file
The Kerberos configuration file must include the settings for UCONN servers:
[realms]UCONN.EDU = {
kdc = kerberos.uconn.edu
admin_server = kadmin.uconn.edu
}
On Windows, the krb5.ini is located in a hidden directory, c:\ProgramData\MIT\Kerberos5
In Unix, the file is located in /etc
Create or edit the existing one and include the realms section.View file name krb5.ini height 250