Skip to content

Configure SSH for User Equivalence

October 28, 2013

#######################################################################

Configure SSH for User Equivalence between racdev01 and racdev02 server

#######################################################################

11gR2, enable password less SSH between two nodes automatically.

==================================================================

From 11gR2, you don’t have to follow multiple steps to setup password less SSH.

You need to have the oracle/grid user password before we run the below script.

Just run the script provided with Oracle Gird Software as below:

racdev01:/u01/soft/GRID/grid/sshsetup: ls -ltrh

total 62

-rwxrwxrwx   1 grid     oinstall       31K Nov 23  2009 sshUserSetup.sh

Login as oracle/grid and run below scripts respectively.

./sshUserSetup.sh -hosts “racdev01 racdev02” -user grid -advanced –noPromptPassphrase

 

./sshUserSetup.sh -hosts “racdev01 racdev02” -user oracle -advanced –noPromptPassphrase

Note:

I have to modify the PATH in script (sshUserSetup.sh) as below

 

OLD:

“SunOS”)  SSH=”/usr/local/bin/ssh”

SSH_KEYGEN=”/usr/local/bin/ssh-keygen”

 

racdev01:/export/home/oracle: ls -l /usr/local/bin/ssh

/usr/local/bin/ssh: No such file or directory

racdev01:/export/home/oracle: ls -l /usr/local/bin/ssh-keygen

/usr/local/bin/ssh-keygen: No such file or directory

 

New:

 

racdev01:/export/home/oracle: ls -l /usr/bin/ssh

-r-xr-xr-x   1 root     bin       248880 Oct 10  2012 /usr/bin/ssh

racdev01:/export/home/oracle: ls -l /usr//bin/ssh-keygen

-r-xr-xr-x   1 root     bin        82924 Oct 10  2012 /usr//bin/ssh-keygen

“SunOS”)  SSH=”/usr/bin/ssh”

SSH_KEYGEN=”/usr/bin/ssh-keygen”

10g, Manual Steps to configure SSH

==============================================

During the installation of Oracle RAC 10g Release 2, OUI needs to copy files to and execute programs on the other nodes in the cluster. In order to allow OUI to do that, you must configure SSH to allow user equivalence. Establishing user equivalence with SSH provides a secure means of copying files and executing programs on other nodes in the cluster without requiring password prompts.

To check status

=================

racdev01:/opt/oracle: svcs -v ssh

STATE          NSTATE        STIME    CTID   FMRI

online         –             Jan_26       60 svc:/network/ssh:default

ps -ef | grep sshd

svcadm enable ssh
svcadm restart ssh

svcs -av | grep ssh

===============

1) racdev01

===============

1)    cd $HOME

mkdir .ssh

cd ~/.ssh

2) chmod 700 ~/.ssh

racdev01:/opt/oracle: ls -altr

drwx——   2 oracle   dba          512 Feb  7 05:28 .ssh

3) racdev01:/opt/oracle/.ssh: ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/opt/oracle/.ssh/id_rsa): <Just press Enter>

Enter passphrase (empty for no passphrase): <Just press Enter>

Enter same passphrase again: <Just press Enter>

Your identification has been saved in /opt/oracle/.ssh/id_rsa.

Your public key has been saved in /opt/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

91:14:28:32:6f:a8:f1:eb:0a:61:a0:24:ba:48:e3:88 oracle@racdev01

Note: While asking for path and passphrase just press enter thrice above

4) racdev01:/opt/oracle/.ssh: ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/opt/oracle/.ssh/id_dsa): <Just press Enter>

Enter passphrase (empty for no passphrase): <Just press Enter>

Enter same passphrase again: <Just press Enter>

Your identification has been saved in /opt/oracle/.ssh/id_dsa.

Your public key has been saved in /opt/oracle/.ssh/id_dsa.pub.

The key fingerprint is:

1c:8a:65:4c:ec:e5:4e:2f:72:0e:52:6e:6b:6b:26:1c oracle@racdev01

Note: While asking for path and passphrase just press enter thrice above

5) cat *.pub >> authorized_keys.node1

6) racdev01:/opt/oracle/.ssh: scp authorized_keys.node1 racdev02:/opt/oracle/.ssh/

lost connection

As above scp was not working, I have to transfer (authorized_keys) manually from my local desktop to each server.

OR

Try below as root:

scp authorized_keys.node1 oracle@racdev02:/opt/oracle/.ssh/

===============

2) racdev02

===============

1)    cd $HOME

mkdir .ssh

cd ~/.ssh

2) chmod 700 ~/.ssh

3) racdev02:/opt/oracle/.ssh: ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/opt/oracle/.ssh/id_rsa): <Just press Enter>

Enter passphrase (empty for no passphrase): <Just press Enter>

Enter same passphrase again: <Just press Enter>

Your identification has been saved in /opt/oracle/.ssh/id_rsa.

Your public key has been saved in /opt/oracle/.ssh/id_rsa.pub.

The key fingerprint is:

50:89:0c:1e:04:c9:f2:cc:0c:88:55:d6:9e:08:cd:f0 oracle@racdev02

racdev02:/opt/oracle/.ssh:

4) racdev02:/opt/oracle/.ssh: ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/opt/oracle/.ssh/id_dsa): <Just press Enter>

Enter passphrase (empty for no passphrase): <Just press Enter>

Enter same passphrase again: <Just press Enter>

Your identification has been saved in /opt/oracle/.ssh/id_dsa.

Your public key has been saved in /opt/oracle/.ssh/id_dsa.pub.

The key fingerprint is:

c7:94:43:e4:ce:69:37:10:19:cb:d3:8e:15:0f:92:be oracle@racdev02

racdev02:/opt/oracle/.ssh:

5) cat *.pub >> authorized_keys.node2

6) racdev02:/opt/oracle/.ssh: scp authorized_keys.node2 racdev01:/opt/oracle/.ssh/

lost connection

As above scp was not working, I have to transfer (authorized_keys) manually from my local desktop to each server.

OR

Try below as root:

scp authorized_keys.node2 oracle@racdev01:/opt/oracle/.ssh/

 

=============

3) racdev01

=============

 

racdev01:/opt/oracle/.ssh: ls -ltr

total 20

-rw-r–r–   1 oracle   dba           54 Jan 17 14:52 config.bak

-rw-r–r–   1 oracle   dba           54 Jan 17 14:52 config

-rw-r–r–   1 oracle   dba          440 Feb  1 01:40 known_hosts.bak

-rw-r–r–   1 oracle   dba          440 Feb  1 01:40 known_hosts

-rw——-   1 oracle   dba          887 Feb  8 01:12 id_rsa

-rw-r–r–   1 oracle   dba          227 Feb  8 01:12 id_rsa.pub

-rw——-   1 oracle   dba          668 Feb  8 01:13 id_dsa

-rw-r–r–   1 oracle   dba          607 Feb  8 01:13 id_dsa.pub

-rw-r–r–   1 oracle   dba          834 Feb  8 01:16 authorized_keys.node1

-rw-r–r–   1 oracle   dba          834 Feb  8 01:29 authorized_keys.node2

racdev01:/opt/oracle/.ssh:

7) cd $HOME/.ssh

8) cat *.node* >> authorized_keys

9) chmod 600 authorized_keys

Optionally:

Update above authorized_keys to /etc/ssh/authorized_keys/oracle

10) racdev01:/opt/oracle/.ssh: cat authorized_keys > /etc/ssh/authorized_keys/oracle

racdev01:/opt/oracle/.ssh: ls -l /etc/ssh/authorized_keys/oracle

-rw-r–r–   1 oracle   dba         1668 Feb  8 07:32 /etc/ssh/authorized_keys/oracle

racdev01:/opt/oracle/.ssh: ssh racdev02

racdev02:/opt/oracle:

SSH started working, after updating the file /etc/ssh/authorized_keys/oracle.

============

4) racdev02

============

racdev01:/opt/oracle/.ssh: ls -ltr

total 24

-rw-r–r–   1 oracle   dba           54 Jan 17 14:52 config.bak

-rw-r–r–   1 oracle   dba           54 Jan 17 14:52 config

-rw-r–r–   1 oracle   dba          440 Feb  1 01:40 known_hosts.bak

-rw——-   1 oracle   dba          887 Feb  8 01:12 id_rsa

-rw-r–r–   1 oracle   dba          227 Feb  8 01:12 id_rsa.pub

-rw——-   1 oracle   dba          668 Feb  8 01:13 id_dsa

-rw-r–r–   1 oracle   dba          607 Feb  8 01:13 id_dsa.pub

-rw-r–r–   1 oracle   dba          834 Feb  8 01:16 authorized_keys.node1

-rw-r–r–   1 oracle   dba          834 Feb  8 01:29 authorized_keys.node2

-rw-r–r–   1 oracle   dba         1668 Feb  8 01:31 authorized_keys

-rw-r–r–   1 oracle   dba          440 Feb  8 02:06 known_hosts

-rw-r–r–   1 oracle   dba            0 Feb  8 02:07 abc.txt

racdev01:/opt/oracle/.ssh:

7) cd $HOME/.ssh

8) cat *.node* >> authorized_keys

9) chmod 600 authorized_keys

Optionally:

Update above authorized_keys to /etc/ssh/authorized_keys/oracle

racdev02:/opt/oracle/.ssh: ls -l /etc/ssh/authorized_keys/oracle

-rw-r–r–   1 oracle   dba            0 Jan 17 13:12 /etc/ssh/authorized_keys/oracle

10) racdev02:/opt/oracle/.ssh: cat authorized_keys > /etc/ssh/authorized_keys/oracle

racdev02:/opt/oracle/.ssh: ls -l /etc/ssh/authorized_keys/oracle

-rw-r–r–   1 oracle   dba         1668 Feb  8 07:33 /etc/ssh/authorized_keys/oracle

racdev02:/opt/oracle/.ssh: ssh racdev01

racdev01:/opt/oracle:

####################################################

TEST

####################################################

racdev01:/opt/oracle: hostname

racdev01

racdev01:/opt/oracle: ssh racdev02 uname -a;date

SunOS racdev02 5.10 Generic_147440-02 sun4u sparc SUNW,Sun-Fire-V440

Wed Feb  8 08:26:37 EST 2012

racdev01:/opt/oracle:

Also check SCP between two servers.

racdev02:/opt/oracle: hostname

racdev02

racdev02:/opt/oracle: ssh racdev01 uname -a;date

SunOS racdev01 5.10 Generic_147440-02 sun4u sparc SUNW,Sun-Fire-V440

Wed Feb  8 08:27:33 EST 2012

racdev02:/opt/oracle:

————————————————————-

Test node reachability using runcluvfy

————————————————————–

cd /u01/orasoft/11201/grid

./runcluvfy.sh comp nodereach -n racdev01,racdev02 -verbose

racdev01:/u01/orasoft/11201/grid:

./runcluvfy.sh comp nodereach -n racdev01,racdev02 -verbose

Verifying node reachability

Checking node reachability…

Check: Node reachability from node “racdev01”

Destination Node                      Reachable?

————————————  ————————

racdev01                            yes

racdev02                            yes

Result: Node reachability check passed from node “racdev01”

Verification of node reachability was successful.

—————————————————————–

runcluvfy.sh stage -post hwos -n racdev01,racdev02 –verbose

 

 

racdev01:/u01/orasoft/11201/grid:

runcluvfy.sh stage -post hwos -n racdev01,racdev02 -verbose

Performing post-checks for hardware and operating system setup

Checking node reachability…

Check: Node reachability from node “racdev01”

Destination Node                      Reachable?

————————————  ————————

racdev01                            yes

racdev02                            yes

Result: Node reachability check passed from node “racdev01”

Checking user equivalence…

Check: User equivalence for user “oracle”

Node Name                             Comment

————————————  ————————

racdev01                            passed

racdev02                            passed

Result: User equivalence check passed for user “oracle”

Checking node connectivity…

Checking hosts config file…

Node Name     Status                    Comment

————  ————————  ————————

racdev01    passed

racdev02    passed

Verification of the hosts config file successful

Interface information for node “racdev01”

Name   IP Address      Subnet          Gateway         Def. Gateway    HW Address        MTU

—— ————— ————— ————— ————— —————– ——

ce0    147.141.200.4   147.141.200.0   147.141.200.6   147.141.200.250 00:03:BA:C3:8A:E1 1500

ce1    147.141.200.5   147.141.200.0   147.141.200.6   147.141.200.250 00:03:BA:B1:13:88 1500

ce1    147.141.200.6   147.141.200.0   147.141.200.6   147.141.200.250 00:03:BA:B1:13:88 1500

ce3    192.168.103.34  192.168.103.0   192.168.103.34  147.141.200.250 00:03:BA:B1:13:8A 1500

ce3    192.168.103.35  192.168.103.0   192.168.103.35  147.141.200.250 00:03:BA:B1:13:8A 1500

ce7    192.168.102.15  192.168.102.0   192.168.102.15  147.141.200.250 00:03:BA:B1:35:02 1500

ce8    192.168.101.15  192.168.101.0   192.168.101.15  147.141.200.250 00:03:BA:B1:35:03 1500

Interface information for node “racdev02”

Name   IP Address      Subnet          Gateway         Def. Gateway    HW Address        MTU

—— ————— ————— ————— ————— —————– ——

ce0    147.141.200.8   147.141.200.0   147.141.200.7   147.141.200.250 00:03:BA:74:63:9B 1500

ce1    147.141.200.9   147.141.200.0   147.141.200.7   147.141.200.250 00:03:BA:DA:18:3F 1500

ce1    147.141.200.7   147.141.200.0   147.141.200.7   147.141.200.250 00:03:BA:DA:18:3F 1500

ce3    192.168.103.36  192.168.103.0   192.168.103.36  147.141.200.250 00:03:BA:DA:18:41 1500

ce3    192.168.103.37  192.168.103.0   192.168.103.37  147.141.200.250 00:03:BA:DA:18:41 1500

ce7    192.168.102.16  192.168.102.0   192.168.102.16  147.141.200.250 00:03:BA:B3:2E:56 1500

ce8    192.168.101.16  192.168.101.0   192.168.101.16  147.141.200.250 00:03:BA:B3:2E:57 1500

Check: Node connectivity of subnet “147.141.200.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:ce0                  racdev01:ce1                  yes

racdev01:ce0                  racdev01:ce1                  yes

racdev01:ce0                  racdev02:ce0                  yes

racdev01:ce0                  racdev02:ce1                  yes

racdev01:ce0                  racdev02:ce1                  yes

racdev01:ce1                  racdev01:ce1                  yes

racdev01:ce1                  racdev02:ce0                  yes

racdev01:ce1                  racdev02:ce1                  yes

racdev01:ce1                  racdev02:ce1                  yes

racdev01:ce1                  racdev02:ce0                  yes

racdev01:ce1                  racdev02:ce1                  yes

racdev01:ce1                  racdev02:ce1                  yes

racdev02:ce0                  racdev02:ce1                  yes

racdev02:ce0                  racdev02:ce1                  yes

racdev02:ce1                  racdev02:ce1                  yes

Result: Node connectivity passed for subnet “147.141.200.0” with node(s) racdev01,racdev02

Check: TCP connectivity of subnet “147.141.200.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:147.141.200.4        racdev01:147.141.200.5        passed

racdev01:147.141.200.4        racdev01:147.141.200.6        passed

racdev01:147.141.200.4        racdev02:147.141.200.8        passed

racdev01:147.141.200.4        racdev02:147.141.200.9        passed

racdev01:147.141.200.4        racdev02:147.141.200.7        passed

Result: TCP connectivity check passed for subnet “147.141.200.0”

Check: Node connectivity of subnet “192.168.103.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:ce3                  racdev01:ce3                  yes

racdev01:ce3                  racdev02:ce3                  yes

racdev01:ce3                  racdev02:ce3                  yes

racdev01:ce3                  racdev02:ce3                  yes

racdev01:ce3                  racdev02:ce3                  yes

racdev02:ce3                  racdev02:ce3                  yes

Result: Node connectivity passed for subnet “192.168.103.0” with node(s) racdev01,racdev02

Check: TCP connectivity of subnet “192.168.103.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:192.168.103.34       racdev01:192.168.103.35       passed

racdev01:192.168.103.34       racdev02:192.168.103.36       passed

racdev01:192.168.103.34       racdev02:192.168.103.37       passed

Result: TCP connectivity check passed for subnet “192.168.103.0”

Check: Node connectivity of subnet “192.168.102.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:ce7                  racdev02:ce7                  yes

Result: Node connectivity passed for subnet “192.168.102.0” with node(s) racdev01,racdev02

Check: TCP connectivity of subnet “192.168.102.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:192.168.102.15       racdev02:192.168.102.16       passed

Result: TCP connectivity check passed for subnet “192.168.102.0”

Check: Node connectivity of subnet “192.168.101.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:ce8                  racdev02:ce8                  yes

Result: Node connectivity passed for subnet “192.168.101.0” with node(s) racdev01,racdev02

Check: TCP connectivity of subnet “192.168.101.0”

Source                          Destination                     Connected?

——————————  ——————————  ————

racdev01:192.168.101.15       racdev02:192.168.101.16       passed

Result: TCP connectivity check passed for subnet “192.168.101.0”

Interfaces found on subnet “147.141.200.0” that are likely candidates for VIP are:

racdev01 ce0:147.141.200.4

racdev02 ce0:147.141.200.8

Interfaces found on subnet “147.141.200.0” that are likely candidates for VIP are:

racdev01 ce1:147.141.200.5 ce1:147.141.200.6

racdev02 ce1:147.141.200.9 ce1:147.141.200.7

Interfaces found on subnet “192.168.103.0” that are likely candidates for a private interconnect are:

racdev01 ce3:192.168.103.34 ce3:192.168.103.35

racdev02 ce3:192.168.103.36 ce3:192.168.103.37

Interfaces found on subnet “192.168.102.0” that are likely candidates for a private interconnect are:

racdev01 ce7:192.168.102.15

racdev02 ce7:192.168.102.16

Interfaces found on subnet “192.168.101.0” that are likely candidates for a private interconnect are:

racdev01 ce8:192.168.101.15

racdev02 ce8:192.168.101.16

Result: Node connectivity check passed

Checking for multiple users with UID value 0

Result: Check for multiple users with UID value 0 passed

Post-check for hardware and operating system setup was successful.

——————————————————-

#######################End of Setting SSH #############################

Before Installing CRS/GRID Test below for any issues:

=====================================================

runcluvfy.sh stage -pre crsinst -n racdev01,racdev02 –verbose

Disable the Login Banner before running runinstaller

==========================================================

racdev01:/export/home/oracle: ssh racdev02

Last login: Sun Oct 27 23:11:45 2013 from mgracsolsrv64bi

Oracle Corporation      SunOS 5.10      Generic Patch   January 2005

Seen the above banner

To disable above banner create .hushlogin file in HOME Directory

=================================================================

racdev01:/export/home/oracle: cd $HOME

racdev01:/export/home/oracle: touch .hushlogin

racdev01:/export/home/oracle: ssh racdev02 (No banner this time)

racdev02:/export/home/oracle: exit

References:

How To Configure SSH for a RAC Installation [ID 300548.1]

 

Click To Download the PDF file

Advertisements

From → RAC, Unix

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: