Environment Configuration Details:
Operating System: Redhat Enterprise Linux 8.4 64 Bit
RAC: YES (3 - Node Setup)
Suppose, I have three node Oracle RAC setup and I want to configure SSH authentication for oracle or grid user or any other user then follow below steps to achieve this.
Login as oracle user and execute the below commands. If you want to configure for grid user then login as grid user.
Step 1: Remove existing "/home/oracle/.ssh" directory from all nodes and create the same.
[oracle@rac1 ~]$ rm -rf .ssh
[oracle@rac2 ~]$ rm -rf .ssh
[oracle@rac3 ~]$ rm -rf .ssh
[oracle@rac1 ~]$ mkdir .ssh
[oracle@rac2 ~]$ mkdir .ssh
[oracle@rac3 ~]$ mkdir .ssh
[oracle@rac1 ~]$ chmod 700 .ssh
[oracle@rac2 ~]$ chmod 700 .ssh
[oracle@rac3 ~]$ chmod 700 .ssh
Step 2: Go to the "/home/oracle/.ssh" directory and generate rsa and dsa keys on all nodes.
[oracle@rac1 ~]$ cd /home/oracle/.ssh
[oracle@rac2 ~]$ cd /home/oracle/.ssh
[oracle@rac3 ~]$ cd /home/oracle/.ssh
On Node1:
[oracle@rac1 .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1PiMgzmPvLA26N/f6u7kxkJ9bFbOn/Cj4D2IKXDj7mE oracle@rac1.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| |
| o |
| o . |
| + + . |
| +.S.o+ |
| ..++..= + |
| ..=Eoo*.. + . |
| . o=+==o.o. = |
| ..oo+=OB.o oo . |
+----[SHA256]-----+
[oracle@rac1 .ssh]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:aQSj/tG2GK+QDrTGBVsh8BqNNIVI9g39LjATrRahuE8 oracle@rac1.localdomain
The key's randomart image is:
+---[DSA 1024]----+
|+*++= o |
|==++o= o |
|+.+.*.. . |
| + @ + . |
|o E * + S |
| = o + O . |
| * o + o |
| . o . . |
| . . |
+----[SHA256]-----+
On Node2:
[oracle@rac2 .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:q4jILUpzCHgRViUHEVz+S83PJlmo7YWmWp2TYyzCPFo oracle@rac2.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| oo**+ |
| . ..+ |
| . . |
|. . . o . |
|o . S + . |
|... o . B O |
| + . E * # = |
|oo+. + = * * |
|+.o.o o.. . |
+----[SHA256]-----+
[oracle@rac2 .ssh]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:FwQAcyGPufeF53/G7mCUXiKbGZR4eaDcj6PHup+l15Q oracle@rac2.localdomain
The key's randomart image is:
+---[DSA 1024]----+
| +.+o..o |
| B . = + |
| o . + B . |
| . + = . |
| . . S O = .. |
| . . B X oE |
| o B =+ |
| o *..= |
| oo+..=o |
+----[SHA256]-----+
On Node3:
[oracle@rac3 .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/+XUZ0/QQnRmeqBPBEq+VFXQ8HYsibdI5fN7vfCo6NI oracle@rac3.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| . ooO==|
| o o B X.|
| + + X *|
| . o * O.|
| S . . = o|
| . +o|
| . . .o.B|
| . E.. ++o=|
| oo .o..o.|
+----[SHA256]-----+
[oracle@rac3 .ssh]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oracle/.ssh/id_dsa.
Your public key has been saved in /home/oracle/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:BoK8Y7WSOkfo2bMQzZeG4ZguHzT9waUtznedOMuDJbc oracle@rac3.localdomain
The key's randomart image is:
+---[DSA 1024]----+
| |
| . . |
| o.o . . |
| .*=o+.= |
|.+X=o+= S |
|o=++o+ +. oo . |
|+=oo + .=+.o |
|.+..o ..oEo |
| .. o. |
+----[SHA256]-----+
Step 3: Redirect all *.pub files data to respective Node as authorized_keys.hostname
[oracle@rac1 .ssh]$ cat *.pub >> authorized_keys.rac1
[oracle@rac2 .ssh]$ cat *.pub >> authorized_keys.rac2
[oracle@rac3 .ssh]$ cat *.pub >> authorized_keys.rac3
Copy above files to other nodes i.e. copy first node file to node2 and node3, 2nd Node file to Node1 and Node3, and 3rd node file to Node1 and Node2.
[oracle@rac1 .ssh]$ scp authorized_keys.rac1 oracle@rac2:/home/oracle/.ssh/
[oracle@rac1 .ssh]$ scp authorized_keys.rac1 oracle@rac3:/home/oracle/.ssh/
[oracle@rac2 .ssh]$ scp authorized_keys.rac2 oracle@rac1:/home/oracle/.ssh/
[oracle@rac2 .ssh]$ scp authorized_keys.rac2 oracle@rac3:/home/oracle/.ssh/
[oracle@rac3 .ssh]$ scp authorized_keys.rac3 oracle@rac1:/home/oracle/.ssh/
[oracle@rac3 .ssh]$ scp authorized_keys.rac3 oracle@rac2:/home/oracle/.ssh/
Step 4: Redirect all *.rac files data to respective Node as
authorized_keys
[oracle@rac1 .ssh]$ cat *.rac* >> authorized_keys
[oracle@rac2 .ssh]$ cat *.rac* >> authorized_keys
[oracle@rac3 .ssh]$ cat *.rac* >> authorized_keys
[oracle@rac1 .ssh]$ chmod 600 authorized_keys
[oracle@rac2 .ssh]$ chmod 600 authorized_keys
[oracle@rac3 .ssh]$ chmod 600 authorized_keys
[oracle@rac1 .ssh]$ ll
-rw------- 1 oracle oinstall 3570 Jan 13 16:43 authorized_keys
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:41 authorized_keys.rac1
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:42 authorized_keys.rac2
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:42 authorized_keys.rac3
-rw------- 1 oracle oinstall 1393 Jan 13 16:41 id_dsa
-rw-r--r-- 1 oracle oinstall 613 Jan 13 16:41 id_dsa.pub
-rw------- 1 oracle oinstall 2610 Jan 13 16:40 id_rsa
-rw-r--r-- 1 oracle oinstall 577 Jan 13 16:40 id_rsa.pub
-rw-r--r-- 1 oracle oinstall 358 Jan 13 16:42 known_hosts
[oracle@rac2 .ssh]$ ll
-rw------- 1 oracle oinstall 3570 Jan 13 16:43 authorized_keys
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:41 authorized_keys.rac1
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:41 authorized_keys.rac2
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:42 authorized_keys.rac3
-rw------- 1 oracle oinstall 1393 Jan 13 16:41 id_dsa
-rw-r--r-- 1 oracle oinstall 613 Jan 13 16:41 id_dsa.pub
-rw------- 1 oracle oinstall 2610 Jan 13 16:41 id_rsa
-rw-r--r-- 1 oracle oinstall 577 Jan 13 16:41 id_rsa.pub
-rw-r--r-- 1 oracle oinstall 358 Jan 13 16:42 known_hosts
[oracle@rac3 .ssh]$ ll
-rw------- 1 oracle oinstall 3570 Jan 13 16:43 authorized_keys
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:42 authorized_keys.rac1
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:42 authorized_keys.rac2
-rw-r--r-- 1 oracle oinstall 1190 Jan 13 16:41 authorized_keys.rac3
-rw------- 1 oracle oinstall 1393 Jan 13 16:41 id_dsa
-rw-r--r-- 1 oracle oinstall 613 Jan 13 16:41 id_dsa.pub
-rw------- 1 oracle oinstall 2610 Jan 13 16:41 id_rsa
-rw-r--r-- 1 oracle oinstall 577 Jan 13 16:41 id_rsa.pub
-rw-r--r-- 1 oracle oinstall 358 Jan 13 16:42 known_hosts
Step 5: Now we can test the ssh authentication by below commands. Ensure self authentication is also required i.e. Node1-Node1, Node2-Node2, Node3-Node3 without which we cannot proceed with installation.
[oracle@rac1 .ssh]$ ssh rac1
[oracle@rac1 .ssh]$ ssh rac2
[oracle@rac1 .ssh]$ ssh rac3
[oracle@rac2 .ssh]$ ssh rac2
[oracle@rac2 .ssh]$ ssh rac1
[oracle@rac2 .ssh]$ ssh rac3
[oracle@rac3 .ssh]$ ssh rac3
[oracle@rac3 .ssh]$ ssh rac1
[oracle@rac3 .ssh]$ ssh rac2
[oracle@rac1 .ssh]$ ssh rac1
The authenticity of host 'rac1 (10.20.30.101)' can't be established.
ECDSA key fingerprint is SHA256:paSUsPHPoUwF04C4TJffskwngg82TS389hoEYRvbWJ4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'rac1,10.20.30.101' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Thu Dec 29 02:59:55 2022
[oracle@rac1 ~]$ ssh rac2
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Jan 13 16:44:53 2023 from 10.20.30.101
[oracle@rac2 ~]$ ssh rac2
The authenticity of host 'rac2 (10.20.30.102)' can't be established.
ECDSA key fingerprint is SHA256:paSUsPHPoUwF04C4TJffskwngg82TS389hoEYRvbWJ4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'rac2,10.20.30.102' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Jan 13 16:45:08 2023 from 10.20.30.101
[oracle@rac2 ~]$ ssh rac3
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Thu Dec 29 03:00:30 2022
[oracle@rac3 ~]$ ssh rac3
The authenticity of host 'rac3 (10.20.30.106)' can't be established.
ECDSA key fingerprint is SHA256:paSUsPHPoUwF04C4TJffskwngg82TS389hoEYRvbWJ4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'rac3,10.20.30.106' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Jan 13 16:45:15 2023 from 10.20.30.102
[oracle@rac3 ~]$ ssh rac1
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Jan 13 16:45:02 2023 from 10.20.30.101
You have successfully configured SSH authentication or passwordless configuration.
Please comment if you like this post !
Thanks for sharing
ReplyDelete