Link back: This guide is a part of the Virtual Oracle RAC project, the index to the whole project is here.
Configure SSH on RAC Nodes
Oracle Clusterware and the Oracle Database software are installed from one node in a RAC cluster. Files are copied by Oracle Installer (OI) to other nodes using ssh and scp commands and OI expects "user equivalence" to be setup on all nodes. This means UNIX id used for installation ("oracle" user in our case) is trusted on all nodes and ssh/scp commands won’t ask for password. We are going to set up this equivalency.
Log on as the oracle UNIX user account (on both nodes):
# su – oracle
Create the .ssh directory in the oracle user’s home directory (on both nodes):
$ rm -R ~/.ssh
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
Generate an RSA key pair (public and private key) for the SSH protocol. When prompted: accept the default location for the key files, enter and confirm a pass phrase (make up something, it may or may not be same on all nodes, write it down, you will need it later). Do it on both nodes.
$ /usr/bin/ssh-keygen -t rsa
The command above creates:
public key in ~/.ssh/id_rsa.pub
private key in ~/.ssh/id_rsa
The results so far will look like this (first node), the arrows indicating your input:
and second node:
Create "authorized_keys" file on first node only. This "authorized_keys" file is a collection of RSA public keys from all nodes in cluster. When all keys are collected this file will be copied to other nodes.
The following commands are run from one node (odnb1):
$ ssh odbn1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Notice: yes, you are connecting with SSH from odbn1 to odbn1, this is done in order to produce additional SSH configuration file "known_hosts" and properly add contents of "id_rsa.pub" to "authorized_keys". Keep the RSA passphrase and oracle’s password handy, red arrows denote your input:
Still from the same host odbn1 issue this command:
$ ssh odbn2 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
What has been done just now? We have connected to odbn2 and appended the contents of its "id_rsa.pub" file to the "authorized_keys" file on odbn1. This looks like that so far:
Examine your "authorized_keys" file on odbn1, you will see it includes keys from both nodes. Now copy this file to the other node (you are still being asked for oracle’s password):
$ scp ~/.ssh/authorized_keys odbn2:.ssh/authorized_keys
Change permissions on the "authorized_keys" file on both nodes:
$ chmod 600 ~/.ssh/authorized_keys
Test connection from odbn1 (first to odbn1 itself, then to odbn2):
$ ssh odbn1 uname -a
$ ssh odbn2 uname -a
Notice: we are not prompted for the oracle’s password, only for the passphrase of the key file. Now we are going to get rid of that prompt either.
Enter following commands on odbn1:
$ exec /usr/bin/ssh-agent $SHELL
The ssh-agent is a process that will supply the passphrase to new SSH processes in this session. When we restart the nodes later (or leave this session) the two commands (ssh-agent and ssh-add) are to be re-run.
Try running same ssh commands as before and you will see no prompts whatsoever (when running from from odbn1, that is):
Test connection on private and public interfaces as well (this is needed later by Oracle Installer):
$ ssh odbn1-priv
$ ssh odbn1-pub
Well, at this point we have configured the SSH to satisfy the Oracle Installer (we hope).