Managing the SSH Host Key Used by the Purge Process CLI

By default, the first time that an SSH client attempts to connect to the Purge Process CLI, ActiveMatrix BPM automatically generates an SSH host key, then uses that key to negotiate and encrypt the connection.

The generated host key is stored (using the filename specified in the cliPath substitution variable) and used for all subsequent connection requests to the Purge Process CLI from any SSH client.

The generated host key uses default settings compatible with the Java and Java Cryptography Extension (JCE) version used by ActiveMatrix BPM. If these defaults do not meet your organization's particular cryptographic security requirements, you can:

  • change the encryption algorithm, ciphers and key length used by the generated host key.
  • change the name of and storage location used by the host key.
  • use an externally created host key instead of the generated one.
  • regenerate or replace the host key whenever you need to, forcing subsequent connections from SSH clients to use the new host key.

Procedure

  1. In TIBCO ActiveMatrix Administrator, click Applications.
  2. Expand bpmAppName > System
  3. Click bpmAppName.
  4. Click the Substitution Variables tab.
  5. Edit the following substitution variables as required.
    Variable Name Description Default Value
    cliAlgorithm Key Exchange (Kex) algorithm to be used when generating a host key. RSA
    cliCiphers List of encryption ciphers to be used when generating a host key. These ciphers are used (in the sequence specified) when negotiating the SSH connection with the SSH client. aes256-ctr,aes192-cbc,aes256-cbc
    cliKeyLength Number of bits to be used for the key length when generating a host key. (As key length increases so does encryption strength.) 1024
    cliPath Name of the file used to hold the host key (whether the key is an externally supplied one, or is automatically generated by ActiveMatrix BPM). This name can be specified as either a simple filename, or as a full path name.

    If a full path name is not specified, the file must be in CONFIG_HOME\tibcohost\Admin-enterpriseName-adminServerName\data_3.2.x\nodes\BPMnodeName\bin\.

    For example:

    C:\ProgramData\amxbpm\tibco\data\tibcohost\Admin-AMX BPM-AMX BPM Server\data_3.2.x\nodes\BPMNode\bin\hostkey.ser

    		hostkey.ser
  6. Save your changes.
    Note: The bpmAppName now shows as Out of Sync. Click Deploy > Deploy Without Start to resynchronize it.
  7. Delete any existing host key file from the cliPath location. If you are using:
    • an externally created host key, copy that file to the cliPath location, so that it is used the next time an SSH client attempts to connect.
    • the generated host key, deleting the existing host key ensures that a new one will be generated and used the next time an SSH client attempts to connect.