relink SPS to SPP

Hi Dario,

When SPS is linked to SPP, a new user named (SessionConnectionUser_#) which is a certificate user gets created in SPP for the internal communication between SPP and SPS.

The thumbprint you see in (SPP --> Settings --> Session Appliances) belongs to the certificate user named (SessionConnectionUser_#) - Where # is the number of the last join attempted if more than one was performed etc.

There is no option to prevent the thumbprint for this certificate user to be the same when joining against a new SPP node.

However, there should be no relation between this certificate user thumbprint (Used for join related tasks by SPS \ SPP) and the issue you mentioned. What was this thumbprint used for by these users? 

Thanks!

Hello Tawfiq, since we made the relink, all users using putty and winscp for example have had to reload the certificate that these tools store locally in registry keys on the user's pc. Attempting a connection to any linux server they receive a pop up saying:

"the server's host key does not match the putty has cached in the registry. This means that either the server administrator has cached the host key, or you have actually connected to another computer pretending to be the server. The new rsa2 key is : ssh-rsa 2048 SHA256:********************

If you were expecting this change and trust the new key press "Accept" to update putty's cache and continue connecting.

If you want to carry on connecting but without updating the cache press "Connected once".

If you want to abandon the connection completely , press "Cancel".
Pressing "Cancel" is the only guaranteed safe choice

unfortunately i cannot attach any picture but this is the whole message in the pop up.

I found a link to the pop up in internet for an example: http://www.snbforums.com/attachments/putty-png.30188/

if the user click on ACCEPT he save locally the new certificate and it's good forever.

Hello Tawfiq, since we made the relink, all users using putty and winscp for example have had to reload the certificate that these tools store locally in registry keys on the user's pc. Attempting a connection to any linux server they receive a pop up saying:

"the server's host key does not match the putty has cached in the registry. This means that either the server administrator has cached the host key, or you have actually connected to another computer pretending to be the server. The new rsa2 key is : ssh-rsa 2048 SHA256:********************

If you were expecting this change and trust the new key press "Accept" to update putty's cache and continue connecting.

If you want to carry on connecting but without updating the cache press "Connected once".

If you want to abandon the connection completely , press "Cancel".
Pressing "Cancel" is the only guaranteed safe choice

unfortunately i cannot attach any picture but this is the whole message in the pop up.

I found a link to the pop up in internet for an example: http://www.snbforums.com/attachments/putty-png.30188/

if the user click on ACCEPT he save locally the new certificate and it's good forever.

Hi Dario,

That pop-up is not related to the (SessionConnectionUser_#) fyi.

That is referring to the "SSH host key" of the target Linux servers that the user is connecting to which can be manually preloaded to SPS as per the Admin guide here:

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-sessions/6.13.0/administration-guide/72#TOPIC-1765864

Thanks!

ok for me everything is clear and thank you very much but i have to be sure at 100% because i have to go to the customer and tell them with precision that relink is absolutely not related to the different key saved in tools like putty and winscp (i mean the key that needed to access on a linux server) and if not what do you think about this behaviour happened? thanks a lot Tawfiw, really thank you so much!