Wednesday, January 6, 2010

Enabling SSH User Equivalency on Cluster Member Nodes (Oracle RAC)



Creating Identical Users and Groups on Other Cluster Nodes

The Oracle software users and groups must exist and be identical on all cluster nodes. To create these identical users and groups, you must identify the user ID and group IDs assigned to them on the node where you created them, then create the user and groups with the same name and ID on the other cluster nodes. You must create identical users and groups on other cluster nodes only if you are using local users and groups. If you are using users and groups defined in a directory service such as NIS, they are already identical on each cluster node.
Identifying the User and Group IDs
To determine the user ID (UID) and the group IDs (GID) for the groups, follow these steps:
1.     Enter following command:
2.  # id oracle
The output from this command is similar to the following:
uid=440(oracle) gid=200(oinstall) groups=201(dba),202(oper)
3.     From the output, identify the user identity (UID) for the Oracle user and the group identities (GIDs) for the groups to which it belongs.
Creating the User and Groups on the Other Cluster Nodes
To create the user and groups on the other cluster nodes, repeat the following procedure on each node:
1.     Log in to the cluster node in which you want to create the user and groups as root.
2.     Enter commands as per the syntax to create the respective groups. Use the -g option to specify the correct GID for each group:
3.  # /usr/sbin/groupadd -g <group_id> <group_name>

Configuring SSH on all Cluster Nodes

Before you install and use Oracle Real Application Clusters, you must configure secure shell (SSH) for the oracle user on all cluster nodes. Oracle Universal Installer uses the ssh and scp commands during installation to run remote commands on and copy files to the other cluster nodes. You must configure SSH so that these commands do not prompt for a password.
Note:
This section describes how to configure OpenSSH version 3. If SSH is not available, then Oracle Universal Installer attempts to use rsh and rcp instead. However, these services are disabled by default on most Linux systems.
Configuring SSH on Cluster Member Nodes
To configure SSH, complete the following steps on each cluster node:
1.     Log in as the Oracle user.
2.     If necessary, create the .ssh directory in the Oracle user's home directory and set the correct permissions for it:
3.  $ mkdir ~/.ssh
4.  $ chmod 700 ~/.ssh
5.     Enter the following commands to generate an RSA key for version 2 of the SSH protocol:
6.  $ /usr/bin/ssh-keygen -t rsa
At the prompts:
o    Accept the default location for the key file.
o    Enter and confirm a different pass phrase from the Oracle user's password.
This command writes the public key to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file. Never distribute the private key to anyone.
7.     Enter the following command to generate a DSA key for version 2 of the SSH protocol:
8.  $ /usr/bin/ssh-keygen -t dsa
At the prompts:
o    Accept the default location for the key file.
o    Enter and confirm a pass phrase that is different from the Oracle user's password.
This command writes the public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file. Never distribute the private key to anyone.
9.     Copy the contents of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files to the ~/.ssh/authorized_keys file on this node and to the same file on all other cluster nodes.
Note:
The ~/.ssh/authorized_keys file on every node must contain the contents from all of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files that you generated on all cluster nodes.
10.  Change the permissions on the ~/.ssh/authorized_keys file on all cluster nodes:
11.$ chmod 600 ~/.ssh/authorized_keys
At this point, if you use ssh to log in to or run a command on another node, you are prompted for the pass phrase that you specified when you created the DSA key.
Enabling SSH User Equivalency on Cluster Member Nodes
To enable Oracle Universal Installer to use the ssh and scp commands without being prompted for a pass phrase, follow these steps:
1.     On the system where you want to run Oracle Universal Installer, log in as the Oracle user.
2.     Enter the following commands:
3.  $ exec /usr/bin/ssh-agent $SHELL
4.  $ /usr/bin/ssh-add
5.     At the prompts, enter the pass phrase for each key that you generated.
If you have configured SSH correctly, then you can use the ssh or scp commands without being prompted for a password or a pass phrase.
6.     To test the SSH configuration, enter the following commands from the same terminal session, testing the configuration of each cluster node:
7.  $ ssh nodename1 date
8.  $ ssh nodename2 date

No comments:

Post a Comment