Oracle 11gR2在安装Grid Infrastructure的时候,能够通过安装程序配置节点间的SSH用户等效性,之所以要在安装之前配置SSH用户等效性,是为了能够在安装前使用CVU工具来检查安装软件的要求是否满足。CVU检查需要由非root用户来执行,如果执行Clusterware和ASM的检查就用grid用户执行检查的命令,如果执行Database的检查就用oracle用户来执行检查的命令。
SSH可以使用两种加密算法:RSA和DSA。其中RSA是SSH 1.5中的加密算法,DSA是SSH 2.0的默认加密算法。所有SSH有关密匙的配置文件都放在$HOME/.ssh目录下,其中RSA的公匙存放在id_rsa.pub中,私匙存放在id_rsa中;DSA的公匙存放在id_dsa.pub中,私匙存放在id_dsa中。
如果将所有节点生成的公匙都存放在rhel1节点的$HOME/.ssh/ authorized_keys文件中,那么通过rhel1执行节点间的拷贝或执行shell脚本都不需要输入密码进行确认。原理是:每个节点用户都有属于自己的公匙和私匙,节点在发送数据到其他节点之前使用私匙进行加密,然后将数据发送到其他节点;使用私匙加密必然使用公匙解密,反之使用公匙加密,必然使用私匙解密。如果其他节点保存了发送节点的公匙,那么自然就可以在不输入密码的情况下解密。
用户等效性的创建只需要在软件安装的时候使用, Oracle安装过程中会利用SSH提供的scp工具拷贝安装文件到远程节点服务器,利用SSH提供的ssh工具执行相应的shell脚本,达到只在一个节点安装即可部署RAC的目的,所以,在安装之前只需要配置安装节点到所有节点的用户有效性即可。当然,为了方便也可以配置所有节点用户相互之间的等效性。
以grid用户为例,按顺序执行以下的步骤配置SSH用户等效性。
步骤1 在rhel1节点创建私匙和公匙。
在rhel1节点执行以下命令:
[grid@rhel1 ~]$ mkdir ~/.ssh
[grid@rhel1 ~]$ chmod 755 ~/.ssh
[grid@rhel1 ~]$/usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
54:eb:d2:35:61:02:f9:5e:1b:d5:16:48:33:51:ef:71 grid@rhel1
注意 执行以上命令会同时创建私匙和公匙。在要求键入passphrase的时候,直接敲击回车表示没有口令。没有口令的好处在于用户等效性可以直接创建,而不需要在使用前输入口令。11gR2版本中,使用图形化工具创建的等效性也是没有口令的。
步骤2 在rhel2节点创建私匙和公匙。
在rhel2节点执行以下命令:
[grid@rhel2 ~]$ mkdir ~/.ssh
[grid@rhel2 ~]$ chmod 755 ~/.ssh
[grid@rhel2 ~]$ /usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
57:7f:a9:cb:20:49:7b:7e:1e:79:80:d1:b4:24:83:de grid@rhel2
步骤3 将rhel1和rhel2节点的公匙内容拷贝到rhel1节点的authorized_keys文件中。
在rhel1节点执行以下命令:
[grid@rhel1 ~]$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
[grid@rhel1 ~]$ ssh grid@rhel2 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
The authenticity of host 'ractest2 (10.168.6.121)' can't be established.
RSA key fingerprint is 7f:65:07:5a:35:4b:02:4a:47:20:89:09:e3:1e:33:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel2,10.168.6.121' (RSA)to the list of known hosts.
grid@ractest2's password:
[grid@ractest1 ~]$ chmod 644 ~/.ssh/authorized_keys
步骤4 将rhel1和rhel2节点的公匙内容拷贝到rhel2节点的authorized_keys文件中。
在rhel2节点执行以下命令
[grid@rhel2 ~]$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
[grid@rhel2 ~]$ssh grid@rhel1 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
The authenticity of host 'rhel1 (10.168.6.111)' can't be established.
RSA key fingerprint is 7a:24:be:30:64:a5:65:42:dd:e0:77:34:48:8e:0c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel1,10.168.6.111' (RSA)to the list of known hosts.
[grid@rhel2 ~]$ chmod 644 ~/.ssh/authorized_keys
步骤5 验证用户等效性。
在两个节点执行以下命令验证用户等效性:
[grid@rhel1 ~]$ ssh rhel1 date
The authenticity of host 'ractest1 (10.168.6.111)' can't be established.
RSA key fingerprint is 7a:24:be:30:64:a5:65:42:dd:e0:77:34:48:8e:0c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel1,10.168.6.111' (RSA)to the list of known hosts.
Wed Oct 6 22:48:52 EDT 2010
[grid@rhel1 ~]$ ssh rhel2 date
Mon Apr 27 21:12:37 CST 2009
完成上面的配置及验证之后,既可以通过rhel1节点安装软件,也可以通过rhel2节点安装软件。
注意 节点验证用户等效性时,除了验证到其他节点的用户有效性,也需要验证其到自己的用户等效性。
SSH可以使用两种加密算法:RSA和DSA。其中RSA是SSH 1.5中的加密算法,DSA是SSH 2.0的默认加密算法。所有SSH有关密匙的配置文件都放在$HOME/.ssh目录下,其中RSA的公匙存放在id_rsa.pub中,私匙存放在id_rsa中;DSA的公匙存放在id_dsa.pub中,私匙存放在id_dsa中。
如果将所有节点生成的公匙都存放在rhel1节点的$HOME/.ssh/ authorized_keys文件中,那么通过rhel1执行节点间的拷贝或执行shell脚本都不需要输入密码进行确认。原理是:每个节点用户都有属于自己的公匙和私匙,节点在发送数据到其他节点之前使用私匙进行加密,然后将数据发送到其他节点;使用私匙加密必然使用公匙解密,反之使用公匙加密,必然使用私匙解密。如果其他节点保存了发送节点的公匙,那么自然就可以在不输入密码的情况下解密。
用户等效性的创建只需要在软件安装的时候使用, Oracle安装过程中会利用SSH提供的scp工具拷贝安装文件到远程节点服务器,利用SSH提供的ssh工具执行相应的shell脚本,达到只在一个节点安装即可部署RAC的目的,所以,在安装之前只需要配置安装节点到所有节点的用户有效性即可。当然,为了方便也可以配置所有节点用户相互之间的等效性。
以grid用户为例,按顺序执行以下的步骤配置SSH用户等效性。
步骤1 在rhel1节点创建私匙和公匙。
在rhel1节点执行以下命令:
[grid@rhel1 ~]$ mkdir ~/.ssh
[grid@rhel1 ~]$ chmod 755 ~/.ssh
[grid@rhel1 ~]$/usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
54:eb:d2:35:61:02:f9:5e:1b:d5:16:48:33:51:ef:71 grid@rhel1
注意 执行以上命令会同时创建私匙和公匙。在要求键入passphrase的时候,直接敲击回车表示没有口令。没有口令的好处在于用户等效性可以直接创建,而不需要在使用前输入口令。11gR2版本中,使用图形化工具创建的等效性也是没有口令的。
步骤2 在rhel2节点创建私匙和公匙。
在rhel2节点执行以下命令:
[grid@rhel2 ~]$ mkdir ~/.ssh
[grid@rhel2 ~]$ chmod 755 ~/.ssh
[grid@rhel2 ~]$ /usr/bin/ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
57:7f:a9:cb:20:49:7b:7e:1e:79:80:d1:b4:24:83:de grid@rhel2
步骤3 将rhel1和rhel2节点的公匙内容拷贝到rhel1节点的authorized_keys文件中。
在rhel1节点执行以下命令:
[grid@rhel1 ~]$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
[grid@rhel1 ~]$ ssh grid@rhel2 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
The authenticity of host 'ractest2 (10.168.6.121)' can't be established.
RSA key fingerprint is 7f:65:07:5a:35:4b:02:4a:47:20:89:09:e3:1e:33:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel2,10.168.6.121' (RSA)to the list of known hosts.
grid@ractest2's password:
[grid@ractest1 ~]$ chmod 644 ~/.ssh/authorized_keys
步骤4 将rhel1和rhel2节点的公匙内容拷贝到rhel2节点的authorized_keys文件中。
在rhel2节点执行以下命令
[grid@rhel2 ~]$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
[grid@rhel2 ~]$ssh grid@rhel1 cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
The authenticity of host 'rhel1 (10.168.6.111)' can't be established.
RSA key fingerprint is 7a:24:be:30:64:a5:65:42:dd:e0:77:34:48:8e:0c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel1,10.168.6.111' (RSA)to the list of known hosts.
[grid@rhel2 ~]$ chmod 644 ~/.ssh/authorized_keys
步骤5 验证用户等效性。
在两个节点执行以下命令验证用户等效性:
[grid@rhel1 ~]$ ssh rhel1 date
The authenticity of host 'ractest1 (10.168.6.111)' can't be established.
RSA key fingerprint is 7a:24:be:30:64:a5:65:42:dd:e0:77:34:48:8e:0c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel1,10.168.6.111' (RSA)to the list of known hosts.
Wed Oct 6 22:48:52 EDT 2010
[grid@rhel1 ~]$ ssh rhel2 date
Mon Apr 27 21:12:37 CST 2009
完成上面的配置及验证之后,既可以通过rhel1节点安装软件,也可以通过rhel2节点安装软件。
注意 节点验证用户等效性时,除了验证到其他节点的用户有效性,也需要验证其到自己的用户等效性。