How to create a FIPS compatible cloud public key for SSH and SCP operations in a cloud environment

Technical Articles ID: KB94844
Last Modified: 9/7/2021

Environment

McAfee Network Security Manager (Linux based Manager) 10.1.7.44 and later

Problem

In a cloud environment, performing the SSH and SCP operations from the Manager fails when using the cloud public key.

The Manager shell fails to load the key for SSH and SCP operations because the key isn’t FIPS compatible. You see the following error:

Manager@mlos.localdomain> scpToRemote -i /tmp/AWS123.pem abc.log centos 10.1.1.9 /home/centos
FIPS mode initialized
The authenticity of host '10.1.1.9 (10.1.1.9)' can't be established.
ECDSA key fingerprint is SHA256:+ANvsES8xxxQtaCPZq/s123JSdXihjuDFuAPyTBxor98hbf.
ECDSA key fingerprint is SHA1:RHNP6HOJFDaYMaEocIuytvfbal.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.9' (ECDSA) to the list of known hosts.
Enter passphrase for key '/tmp/ AWS123.pem':
Enter passphrase for key '/tmp/ AWS123.pem':
Enter passphrase for key '/tmp/ AWS123.pem':
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection
Please check the syntax.
Syntax -> scpToRemote -i <path/to/key> <filename> <username> <IP> <Destination location/Path>

Solution

Make the cloud public key FIPS compatible, and then carry out the SSH and SCP operations on the cloud environment.

Copy the cloud public key generated to a Linux environment.
NOTE: You can't disable the FIPS mode for an NSM MLOS installation, so you must perform these steps on a Linux host with FIPS disabled.
Confirm that your Linux environment is FIPS disabled:
1. Open a command-line session.
2. Type sysctl crypto.fips_enabled and press Enter.
  - If the output is 1, FIPS is enabled. Disable FIPS or try another Linux host.
  - If the output is 0, FIPS is disabled.
Make the cloud public key FIPS compatible:
Type openssl pkcs8 -topk8 -v2 aes128 -in </path/to/your/keyfile> -out <path/to/output/keyfile> and press Enter.
For example, openssl pkcs8 -topk8 -v2 aes128 -in <opt/key123.pem> -out <opt/xyz/key456.pem>
Type the passphrase of the key, if prompted.
[Optional] Type the encryption password.
[Optional] Verify the encryption password.
Change the permissions of the key file to 600:
Type chmod 600 <path/to/output/keyfile> and press Enter.
Copy the FIPS enabled output key file to the Manager.
Perform your needed SSH and SCP operations in your cloud environment.

Affected Products

Best Practices
Configuration
Network Security Manager 10.x

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

How to create a FIPS compatible cloud public key for SSH and SCP operations in a cloud environment

Environment

Problem

Solution

Affected Products

Glossary of Technical Terms

Title

Title

Knowledge Center

How to create a FIPS compatible cloud public key for SSH and SCP operations in a cloud environment

Environment

Problem

Solution

Affected Products

Glossary of Technical Terms

Choose your region

Title

Title