Perform the following configuration procedures on both Oracle RAC nodes in the cluster
Before installation and use of Oracle Real Application clusters, secure shell (SSH) must be configured for the "oracle" UNIX user account on all cluster nodes. User equivalence enables the "oracle" UNIX user account to access all other nodes in the cluster (running commands and copying files) without the need for a password. This can be configured using SSH.
This section describes how to configure SSH.
To determine if SSH is installed and running, enter the following command on both Oracle RAC nodes:
# pgrep sshd
(If SSH is running, then the response to this command is a list of process ID number(s)).
Creating RSA and DSA Keys on Both Oracle RAC Nodes
The first step in configuring SSH is to create RSA and DSA key pairs on both Oracle RAC nodes in the cluster. The command to do this will create a public and private key for both RSA and DSA (for a total of four keys per node). The content of the RSA and DSA public keys will then need to be copied into an authorized key file which is then distributed to both Oracle RAC nodes in the cluster.
Use the following steps to create the RSA and DSA key pairs. Please note that these steps will need to be completed on both Oracle RAC nodes in the cluster:
Logon as the "oracle" UNIX user account.
# su - oracle
If necessary, create the .ssh directory in the "oracle" user's home directory and set the correct permissions on it:
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
Enter the following command to generate an RSA key pair (public and private key) for version 3 of the SSH protocol:
$ /usr/bin/ssh-keygen -t rsa
At the prompts:
- Accept the default location for the key files.
- Enter and confirm a pass phrase. This should be different from the "oracle" UNIX user account password however it is not a requirement.
- This command will write the public key to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file. Note that you should never distribute the private key to anyone!
Enter the following command to generate a DSA key pair (public and private key) for version 3 of the SSH protocol:
$ /usr/bin/ssh-keygen -t dsa
At the prompts:
- Accept the default location for the key files.
- Enter and confirm a pass phrase. This should be different from the "oracle" UNIX user account password however it is not a requirement.
- This command will write the public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file. Note that you should never distribute the private key to anyone!
Repeat the above steps for both Oracle RAC nodes in the cluster.
Now that both Oracle RAC nodes contain a public and private key for both RSA and DSA, you will need to create an authorized key file on one of the nodes. An authorized key file is nothing more than a single file that contains a copy of everyone's (every node's) RSA and DSA public key. Once the authorized key file contains all of the public keys, it is then distributed to all other nodes in the cluster.
Complete the following steps on one of the nodes in the cluster to create and then distribute the authorized key file:
First, determine if an authorized key file already exists on the node (~/.ssh/authorized_keys). In most cases this will not exist since this a new install. If the file doesn't exist, create it now:
$ touch ~/.ssh/authorized_keys
$ cd ~/.ssh
$ ls -l *.pub
-rw-r--r-- 1 oracle oinstall 603 Aug 31 23:40 id_dsa.pub
-rw-r--r-- 1 oracle oinstall 223 Aug 31 23:36 id_rsa.pub
The listing above should show the id_rsa.pub and id_dsa.pub public keys created in the previous section.
In this step, use SSH to copy the content of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub public key from both Oracle RAC nodes in the cluster to the authorized key file just created (~/.ssh/authorized_keys). Again, this will be done from another node. It will prompt for the "oracle" UNIX user account password for both Oracle RAC nodes accessed. Notice that when using SSH to access the node, the first time prompts for the "oracle" UNIX user account password. The second attempt at accessing this node will prompt for the pass phrase used to unlock the private key. For any of the remaining nodes, it will always ask for the "oracle" UNIX user account password.
The following example is being executed from xxxx1.com and assumes a two-node cluster, with nodes xxxx1.com and xxxx2.com:
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
Note: The first time you use SSH to connect to a node from a particular system, you may see a message similar to the following:
The authenticity of host ‘xxxx1.com’can't be established.
RSA key fingerprint is 61:8a:f9:9e:28:a2:b7:d3:70:8d:dc:76:ca:d9:23:43.
Are you sure you want to continue connecting (yes/no)? yes
Enter yes at the prompt to continue. You should not see this message again when you connect from this system to the same node.
At this point, we have the content of the RSA and DSA public keys from every node in the cluster in the authorized key file (~/.ssh/authorized_keys) on xxxx1.com. We now need to copy it to the remaining nodes in the cluster. Use the scp command to copy the authorized key file to all remaining nodes in the cluster:
$ scp ~/.ssh/authorized_keys xxxx2.com:.ssh/authorized_keys
oracle@ xxxx2.com’s password: xxxxx
authorized_keys 100% 1652 1.6KB/s 00:00
Change the permission of the authorized key file for both Oracle RAC nodes in the cluster by logging into the node and running the following:
$ chmod 600 ~/.ssh/authorized_keys
At this point, if you use SSH to log in to or run a command on another node, you are prompted for the pass phrase that you specified when you created the DSA key. For example, test the following from any on of the node:
$ ssh xxxx1.com hostname
xxxx1.com
$ ssh xxxx2.com hostname
xxxx2.com
At this point, if you use SSH to log in to or run a command on another node, you are prompted.
Allow root to login using SSH keys. For that PermitRootLogin should be set to without-password or not set in sshd_config. Test the setting as shown below.
# cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin without-password
No comments:
Post a Comment