10
Jun

User Equivalence Configuration

There are two nodes in a cluster ebsdb01.dbaarena.com, ebsdb02.dbaarena.com


cd $ORACLE_HOME/oui/prov/resources/scripts
[oraprod@ebsdb01 scripts]$ ls -ltr
total 100
-rwxr-x--- 1 oraprod oinstall 1394 Jul 20 2006 validatePaths
-rwxr-x--- 1 oraprod oinstall 6983 Jul 20 2006 ouiSetup
-rwxr-x--- 1 oraprod oinstall 35064 Dec 11 2006 sshUserSetupNT.sh
-rwxr-x--- 1 oraprod oinstall 16520 Mar 31 2009 sshConnectivity.sh
-rwxr-x--- 1 oraprod oinstall 32343 Dec 16 2009 sshUserSetup.sh

./sshUserSetup.sh -user -hosts <"hostname1 hostname 2"> -noPromptPassphrase

 
Run this script on both the nodes
 
[oraprod@ebsdb01 scripts]$ ./sshUserSetup.sh -user oraprod -hosts "ebsdb01 ebsdb02" -noPromptPassphrase
The output of this script is also logged into /tmp/sshUserSetup_2015-06-08-11-50-25.log
Hosts are ebsdb01 ebsdb02
user is oraprod
Platform:- Linux
Checking if the remote hosts are reachable
PING ebsdb01.dbaarena.com (172.25.111.1) 56(84) bytes of data.
64 bytes from ebsdb01.dbaarena.com (172.25.111.1): icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from ebsdb01.dbaarena.com (172.25.111.1): icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from ebsdb01.dbaarena.com (172.25.111.1): icmp_seq=3 ttl=64 time=0.029 ms
64 bytes from ebsdb01.dbaarena.com (172.25.111.1): icmp_seq=4 ttl=64 time=0.037 ms
64 bytes from ebsdb01.dbaarena.com (172.25.111.1): icmp_seq=5 ttl=64 time=0.018 ms

--- ebsdb01.dbaarena.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.018/0.027/0.037/0.007 ms
PING ebsdb02.dbaarena.com (172.25.111.2) 56(84) bytes of data.
64 bytes from ebsdb02.dbaarena.com (172.25.111.2): icmp_seq=1 ttl=64 time=0.167 ms
64 bytes from ebsdb02.dbaarena.com (172.25.111.2): icmp_seq=2 ttl=64 time=0.140 ms
64 bytes from ebsdb02.dbaarena.com (172.25.111.2): icmp_seq=3 ttl=64 time=0.167 ms
64 bytes from ebsdb02.dbaarena.com (172.25.111.2): icmp_seq=4 ttl=64 time=0.145 ms
64 bytes from ebsdb02.dbaarena.com (172.25.111.2): icmp_seq=5 ttl=64 time=0.130 ms

--- ebsdb02.dbaarena.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.130/0.149/0.167/0.021 ms
Remote host reachability check succeeded.
The following hosts are reachable: ebsdb01 ebsdb02.
The following hosts are not reachable: .
All hosts are reachable. Proceeding further...
firsthost ebsdb01
numhosts 2
The script will setup SSH connectivity from the host ebsdb01.dbaarena.com to all
the remote hosts. After the script is executed, the user can use SSH to run
commands on the remote hosts or copy files between this host ebsdb01.dbaarena.com
and the remote hosts without being prompted for passwords or confirmations.

NOTE 1:
As part of the setup procedure, this script will use ssh and scp to copy
files between the local host and the remote hosts. Since the script does not
store passwords, you may be prompted for the passwords during the execution of
the script whenever ssh or scp is invoked.

NOTE 2:
AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY
AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE
directories.

Do you want to continue and let the script make the above mentioned changes (yes/no)?
yes

The user chose yes
User chose to skip passphrase related questions.
Creating .ssh directory on local host, if not present already
Creating authorized_keys file on local host
Changing permissions on authorized_keys to 644 on local host
Creating known_hosts file on local host
Changing permissions on known_hosts to 644 on local host
Creating config file on local host
If a config file exists already at /home/oraprod/.ssh/config, it would be backed up to /home/oraprod/.ssh/config.backup.
Removing old private/public keys on local host
Running SSH keygen on local host with empty passphrase
Generating public/private rsa key pair.
Your identification has been saved in /home/oraprod/.ssh/id_rsa.
Your public key has been saved in /home/oraprod/.ssh/id_rsa.pub.
The key fingerprint is:
64:63:90:2f:d3:f5:a8:03:4b:4b:c8:e6:c4:95:bc:03 oraprod@ebsdb01.dbaarena.com
Creating .ssh directory and setting permissions on remote host ebsdb01
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oraprod. THIS IS AN SSH
REQUIREMENT.
The script would create ~oraprod/.ssh/config file on remote host ebsdb01. If a config file exists already at
~oraprod/.ssh/config, it would be backed up to ~oraprod/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host ebsdb01.
Warning: Permanently added 'ebsdb01,172.25.111.1' (RSA) to the list of known hosts.
oraprod@ebsdb01's password:
Done with creating .ssh directory and setting permissions on remote host ebsdb01.
Creating .ssh directory and setting permissions on remote host ebsdb02
THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR group AND others ON THE HOME DIRECTORY FOR oraprod. THIS IS AN SSH
REQUIREMENT.
The script would create ~oraprod/.ssh/config file on remote host ebsdb02. If a config file exists already at
~oraprod/.ssh/config, it would be backed up to ~oraprod/.ssh/config.backup.
The user may be prompted for a password here since the script would be running SSH on host ebsdb02.
Warning: Permanently added 'ebsdb02,172.25.111.2' (RSA) to the list of known hosts.
oraprod@ebsdb02's password:
Done with creating .ssh directory and setting permissions on remote host ebsdb02.
Copying local host public key to the remote host ebsdb01
The user may be prompted for a password or passphrase here since the script would be using SCP for host ebsdb01.
oraprod@ebsdb01's password:
Done copying local host public key to the remote host ebsdb01
Copying local host public key to the remote host ebsdb02
The user may be prompted for a password or passphrase here since the script would be using SCP for host ebsdb02.
oraprod@ebsdb02's password:
Done copying local host public key to the remote host ebsdb02
cat: /home/oraprod/.ssh/known_hosts.tmp: No such file or directory
cat: /home/oraprod/.ssh/authorized_keys.tmp: No such file or directory
SSH setup is complete.

------------------------------------------------------------------------
Verifying SSH setup
===================
The script will now run the date command on the remote nodes using ssh
to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,
THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR
PASSWORDS. If you see any output other than date or are prompted for the
password, ssh is not setup correctly and you will need to resolve the
issue and set up ssh again.
The possible causes for failure could be:
1. The server settings in /etc/ssh/sshd_config file do not allow ssh
for user oraprod.
2. The server may have disabled public key based authentication.
3. The client public key on the server may be outdated.
4. ~oraprod or ~oraprod/.ssh on the remote host may not be owned by oraprod.
5. User may not have passed -shared option for shared remote users or
may be passing the -shared option for non-shared remote users.
6. If there is output in addition to the date, but no password is asked,
it may be a security alert shown as part of company policy. Append the
additional text to the /sysman/prov/resources/ignoreMessages.txt file.
------------------------------------------------------------------------
--ebsdb01:--
Running /usr/bin/ssh -x -l oraprod ebsdb01 date to verify SSH connectivity has been setup from local host to ebsdb01.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS
NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Mon Jun 8 11:51:04 AST 2015
------------------------------------------------------------------------
--ebsdb02:--
Running /usr/bin/ssh -x -l oraprod ebsdb02 date to verify SSH connectivity has been setup from local host to ebsdb02.
IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS
NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR.
Mon Jun 8 11:51:05 AST 2015
------------------------------------------------------------------------
SSH verification complete.
 
Run both the scripts on the nodes, it should not prompt for password.
 
[oraprod@ebsdb01 scripts]$ /usr/bin/ssh -x -l oraprod ebsdb01 date
Mon Jun 8 11:51:38 AST 2015
 
[oraprod@ebsdb01 scripts]$ /usr/bin/ssh -x -l oraprod ebsdb02 date
Mon Jun 8 11:51:45 AST 2015
 
If it prompts for password then check whether the ssh authorized_keys has information of both the nodes.
[oraprod@ebsdb02 ~]$ cd .ssh/
[oraprod@ebsdb02.ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3FAXoeabbELuGbaPfeaVqlxn2AkKU6Den6oPrZMeowJfeLn5CDzquCgRRbhsupHByah/UqxJaOn1bbr/neTEegw+652AyAbgBcd7Es+I/4WzM75HYcagclDzShAtRUs8s8P26FytFws0AH8Ageb0fA5TwFKLruEhb5EV/bFKbWU= oraprod@ebsdb02-mgmt.dbaarena.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3FAXoeabbELuGbaPfeaVqlxn2AkKU6Den6oPrZMeowJfeLn5CDzquCgRRbhsupHByah/UqxJaOn1bbr/neTEegw+652AyAbgBcd7Es+I/4WzM75HYcagclDzShAtRUs8s8P26FytFws0AH8Ageb0fA5TwFKLruEhb5EV/bFKbWU= oraprod@ebsdb02.dbaarena.com
 
From above we see that node 2 does not have authorized keys for node 1
 
Copy node 1 key into node 2 file .ssh/authorized_keys
 
 

Manual User Equivalence Configuration

 
There are two nodes in a cluster ebsdb01.dbaarena.com, ebsdb02.dbaarena.com.
 
Create a .ssh directory in the user's home location.

mkdir .ssh
chmod -R 700 .ssh

Enter the following command:
/usr/bin/ssh-keygen -t rsa
Accept the default settings.
The RSA public key is written to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file.

Add All Keys to a Common authorized_keys File
Log in to ebsdb01.dbaarena.com node, generate an "authorized_keys" file and copy it to ebsdb02.dbaarena.com using the following commands.


su - oraprod
cd .ssh
cat id_rsa.pub >> authorized_keys
scp authorized_keys ebsdb02.dbaarena.com:/home/oraprod/.ssh/

Next, log in to ebsdb02.dbaarena.com and perform the following commands.


su - oraprod
cd .ssh
cat id_rsa.pub >> authorized_keys
scp authorized_keys ebsdb01.dbaarena.com:/home/oraprod/.ssh/

The "authorized_keys" file on both servers now contains the public keys generated on all nodes.
 
To verify SSH user equivalency on the cluster member nodes issue the following commands on each node.

ssh ebsdb01 date

ssh ebsdb02 date

ssh ebsdb01.dbaarena.com date

ssh ebsdb02.dbaarena.com date

 
You should now be able to SSH and SCP between servers without entering passwords.
 
If any node prompts for a password, then verify that the ~/.ssh/authorized_keys file on that node contains the correct public keys, and that you have created an Oracle software owner with identical group membership and IDs.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top