Question about mutual trust between AIX5.3 and Oracle11gR2SSH Installation

Source: Internet
Author: User
Tags free ssh scp command
On the local node (racnode1), use SCP (secure replication) or SFTP (Secure FTP) ~. The content of the sshid_dsa.pub Public Key is obtained from

On the local node (racnode1), use SCP (secure replication) or SFTP (Secure FTP) ~ /. Ssh/id_dsa.pub Public Key

Configure password-free SSH on the cluster node
To configure SSH without a password, you must first generate an RSA or DSA key on each cluster node, and then copy all the keys generated by all cluster node members to the authorization key file, the file is the same on each node. Note: The SSH file must be read only by the root user and software Installer (grid and Oracle), because SSH ignores the file if other users can access a private key file. The following example uses the DSA key.
For the Oracle software installation owner (grid and oracle) to be used during installation, you must configure password-free SSH for each owner.
To configure SSH without a password, complete the following tasks:
Create an SSH directory on each node and generate an SSH key
Complete the following steps on each node:
Log on as the software owner (grid user in this example.
[Root @ linuxidc1 ~] # Su-grid
Make sure that you log on with the grid, verify that the user ID is consistent with the expected user ID (that is, the user ID you have allocated to the grid user), and enter the id and id grid command. Make sure that the Oracle user group and user are in the same group and user ID as the user terminal window process you are currently using. For example:

If necessary, create the. ssh directory under the grid user's home directory and set the relevant permissions to ensure that only oracle users have read and write permissions:
[Grid @ linuxidc1 ~] $ Mkdir ~ /. Ssh
[Grid @ linuxidc1 ~] $ Chmod 700 ~ /. Ssh
Run the following command to generate a DSA key pair (Public Key and private key) for the SSH protocol: when prompted, accept the default location of the key file and set the passphrase (Press [Enter]).:
[Grid @ linuxidc1 ~] $/Usr/bin/ssh-keygen-t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/grid/. ssh/id_dsa): [Enter]
Enter passphrase (empty for no passphrase): [Enter]
Enter same passphrase again: [Enter]
Your identification has been saved in/home/grid/. ssh/id_dsa.
Your public key has been saved in/home/grid/. ssh/id_dsa.pub.
The key fingerprint is:
7b: e9: e8: 47: 29: 37: ea: 10: 10: c6: b6: 7d: d2: 73: e9: 03grid @ linuxidc1
Note: Password phrase SSH is not supported for Oracle Clusterware 11g 2nd and later versions. For Oracle 11g 2nd and later versions, password-free SSH is required.

This command writes the DSA public key ~ /. Ssh/id_dsa.pub file to write the private key ~ /. Ssh/id_dsa file.

Do not distribute the private key to any user who has no permission to install the Oracle software.


Repeat steps 1st to 4th for all other nodes (linuxidc2) that use the DSA key that you want to make it a member of the cluster.

Add all keys to a public authorized_keys File

Now, each Oracle RAC node contains both public and private keys for DSA. You need to create an authorization key file (authorized_keys) on one of the nodes ). The authorization key file is only a file containing the DSA public key of each user (each node. After the authorization key file contains all public keys, it is distributed to all other nodes in the cluster.

Note: For grid users on each node ~ The/. ssh/authorized_keys file must contain all ~ The content in the/. ssh/id_dsa.pub file.

Complete the following steps on a node in the cluster to generate an authorization key file and then distribute the file. In this article, I will use the master node linuxidc1 in the Cluster:

Check whether the authorization key file exists in the main directory of the owner in linuxidc1 (local node ~ /. Ssh/authorized_keys. In most cases, this file does not exist because this document assumes that you are installing a new one. If the file does not exist, create it now:
[Grid @ linuxidc1 ~] $ Touch ~ /. Ssh/authorized_keys
[Grid @ linuxidc1 ~] $ Ls-l ~ /. Ssh
Total 8
-Rw-r -- 1 grid oinstall 0 Nov 12 12:34 authorized_keys
-Rw ------- 1 grid oinstall 668 Nov 12 id_dsa
-Rw-r -- 1 grid oinstall 603 Nov 12 id_dsa.pub
In the. ssh directory, you will see the previously generated id_dsa.pub key and the blank file authorized_keys.

On the local node (linuxidc1), use SCP (secure replication) or SFTP (Secure FTP) ~ The contents of the/. ssh/id_dsa.pub Public Key are copied from two Oracle RAC nodes in the cluster to the authorization key file (~ /. Ssh/authorized_keys. Similarly, perform this operation from linuxidc1. The system prompts you to enter the grid OS user account password for each accessed Oracle RAC node.
The following example runs on the linuxidc1 node. Assume that the cluster has two nodes: linuxidc1 and linuxidc2:

[Grid @ linuxidc1 ~] $ Ssh linuxidc1 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
The authenticity of host 'linuxidc1 (192.168.1.151) 'can't be established.
RSA key fingerprint is 2f: 0d: 2c: da: 9f: d4: 3d: 2e: ea: e9: 98: 20: 2c: b9: e8: f5.
Are you sure you want to continue connecting (yes/no )? Yes
Warning: Permanently added 'linuxidc1, 192.168.1.151' (RSA) to the list of known hosts.
Grid @ linuxidc1 'spassword: xxxxx

[Grid @ linuxidc1 ~] $ Ssh linuxidc2 cat ~ /. Ssh/id_dsa.pub> ~ /. Ssh/authorized_keys
The authenticity of host 'linuxidc2 (192.168.1.152) 'can't be established.
RSA key fingerprint is 97: AB: db: 26: f6: 01: 20: cc: e0: 63: d0: d1: 73: 7e: c2: 0a.
Are you sure you want to continue connecting (yes/no )? Yes
Warning: Permanently added 'linuxidc2, 192.168.1.152' (RSA) to the list of known hosts.
Grid @ linuxidc2 'spassword: xxxxx
When you connect to a node from a specific system using SSH for the first time, you will see messages similar to the following:

The authenticity of host 'linuxidc1 (192.168.1.151) 'can't be established.
RSA key fingerprint is 2f: 0d: 2c: da: 9f: d4: 3d: 2e: ea: e9: 98: 20: 2c: b9: e8: f5.
Are you sure you want to continue connecting (yes/no )? Yes
Enter yes to continue. Therefore, the public host name will be added ~ /. The known_hosts file in the ssh directory will not be seen when the system connects to the same node later.

In this case, the authorization key file (~ /. Ssh/authorized_keys) contains the DSA public key from each node in the cluster.
[Grid @ linuxidc1 ~] $ Ls-l ~ /. Ssh
Total 16
-Rw-r -- 1 grid oinstall 1206 Nov 12 authorized_keys
-Rw ------- 1 grid oinstall 668 Nov 12 id_dsa
-Rw-r -- 1 grid oinstall 603 Nov 12 id_dsa.pub
-Rw-r -- 1 grid oinstall 808 Nov 12 known_hosts
Now we will copy it to other nodes in the cluster. In our dual-node cluster example, the only remaining node is linuxidc2. Run the scp command to copy the authorization key file to all other nodes in the Cluster:

[Grid @ linuxidc1 ~] $ Scp ~ /. Ssh/authorized_keys linuxidc2:. ssh/authorized_keys
Grid @ linuxidc2 'spassword: xxxxx
Authorized_keys 100% 1206 1.2KB/s

Log on to the node and run the following command to change the authorization key file permissions for the two Oracle RAC nodes in the Cluster:
[Grid @ linuxidc1 ~] $ Chmod 600 ~ /. Ssh/authorized_keys
Enable SSH user equivalence on cluster nodes

Copy the authorized_keys file that contains all the public keys to each node in the cluster, and complete the steps in this section to ensure that the SSH connection without a password is correctly configured between the cluster member nodes. In this example, the Oracle grid Infrastructure software owner named Grid is used.

When you run the test SSH command in this section, if you see any messages or text other than the date and host name, Oracle Installation will fail. If any node prompts you to enter a password or a phrase, verify ~ The/. ssh/authorized_keys file contains the correct public key and you have created an Oracle software owner with the same group member and ID. Make necessary changes to ensure that only the date and host name are displayed when you enter these commands. Make sure that you modify any part of the login script that generates any output or asks any questions so that they take effect only when the shell is an interactive shell.


Log on to the system (linuxidc1) where you want to run OUI as a grid user.
[Root @ linuxidc1 ~] # Su-grid

If the SSH configuration is correct, you can use the ssh and scp commands from the terminal without providing a password or phrase.
[Grid @ linuxidc1 ~] $ Ssh linuxidc1 date
Fri Nov 13 09:46:56 EST 2009
Linuxidc1

[Grid @ linuxidc1 ~] $ Ssh linuxidc2 date
Fri Nov 13 09:47:34 EST 2009
Linuxidc2

If you need a password, check the permissions of the grid folder. the permissions of the nodes on both sides must be the same. If the permissions are too large (for example, 777), you must change the permissions to a smaller value (for example, 755)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.