Thursday, October 12, 2017

Set Up SSH on EBS Application Nodes & RAC Database Nodes

Set Up Secure Shell SSH on EBS Application 12.2.x Tier Nodes

In a multi-node environment, adop commands are invoked by a user on the primary node. Internally, adop uses Secure Shell (ssh) to automatically execute required patching actions on all secondary nodes. You must set up passwordless SSH connectivity from the primary node to all secondary nodes.
Note: Rapid Install and Rapid Clone set up the SSH key infrastructure.

*Steps to setup SSH manually
The ssh-keygen command is used to generate a private/public key pair.  The private key is for the node from where all the remote nodes will subsequently be accessible by an ssh login that requires no password. The public key must be copied to each remote node's <User_Home_Directory>/.ssh directory.
In essence, the sequence is as follows:
1.The following command initiates creation of the key pair:
# ssh-keygen -t rsa
Note: The <Enter> key should be pressed instead of a passphrase being entered.
Generating public/private rsa key pair.
Enter file in which to save the key (/u01/user2/.ssh/id_rsa):
<Enter>
Enter passphrase:<Enter>
Enter same passphrase again:<Enter>
Your identification has been saved in /u01/user2/.ssh/id_rsa.
Your public key has been saved in /u01/user2/.ssh/id_rsa.pub.
The key fingerprint is: 16:d0:e2:dd:37:2f:8e:d5:59:3e:12:9d:2f:12:1e:5a


2.The private key is saved in <User_Home_Directory>/.ssh/id_rsa
Important: As this read-only file is used to decrypt all correspondence encrypted with the public key, its contents must not be shared with anyone.
3.The public key is saved in <User_Home_Directory>/.ssh/id_rsa.pub
4.The contents of the public key are then copied to the <User_Home_Directory>/.ssh /authorized_keys file on the systems you subsequently wish to SSH to without being prompted for a password.
# scp -pr /u01/user2/.ssh/id_rsa.pub user2@system1:/u01/user2/.ssh/authorized_keys
user2@system1's password:<Enter user2 on system1 OS user password here>
id_rsa.pub 100% 398 0.4KB/s 00:00

# ssh user2@system1
Note: If you receive this message, it can safely be ignored: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.

 Once this has been done for the relevant operating system account on all nodes - that is, ssh can log in from the primary node to each secondary node without entering a password - so you are ready to run adop on multiple application tier nodes. It must be run on at least the master (admin) node: from there, it will attempt to contact all the other application tier nodes that are part of the same Oracle E-Business Suite instance, and will run the required steps remotely on those nodes.

*Steps to setup SSH using txkRunSSHSetup.pl Script on EBS Application Nodes
Important: If you change the password for the relevant operating system account on one or more nodes, you must regenerate the SSH credentials either using the $AD_TOP/patch/115/bin/txkRunSSHSetup.pl script, or your own native solution if you prefer.

The txkRunSSHSetup.pl script has a -help option that shows relevant usage options. 

For example, a basic command to enable ssh would be:
$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl enablessh -contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3$

To verify ssh operation:
$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl verifyssh -contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3 -invalidnodefile=<filename to report ssh verification failures>

 To disable ssh:
$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl disablessh -contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3 -invalidnodefile=<filename to report ssh verification failures>

Set Up Secure Shell SSH on RAC Database Nodes

With Oracle Database 11g Release 2, Oracle provides an extremely useful script to establish and exchange ssh keys between all the nodes of the cluster called sshUserSetup.sh. This script is available to everyone from the installation media in the grid/sshsetup sub-directory.
This little shell script comes in handy if you are cloning Oracle RAC clusters and do not want to leverage the GUI tools. If you trying to automate Oracle RAC build deployments, it is a must have tool for the DBAs.
Without setting up ssh keys, the cluvfy script will fail and spit out the following error:
? 1 ERROR: User equivalence unavailable on all the nodes. Verification cannot proceed.

The following example demonstrates the sshUserSetup script executed on a 2-node RAC called rac1 and rac2:
[oracle@rac1 sshsetup]$ pwd
/nfs/software/12c/grid/sshsetup
[oracle@rac1 home]$ cd /nfs/software/12c/grid/sshsetup/
[oracle@rac1 sshsetup]$ ./sshUserSetup.sh -user oracle -hosts "rac1 rac2" -noPromptPassphrase -advanced -exverify
The output of this script is also logged into /tmp/sshUserSetup_2017-10-12-15-30-00.log

For any queries related to this article, please email me, samiappsdba@gmail.com