You can configure db2locssh so that you can install the Db2®
pureScale® feature without enabling remote root
login and passwordless SSH.
Before you begin
Note: The db2locssh command requires that the /var mount point allow execution of the root
owned setuid executable. The db2locssh command will not work if directory is mounted with
nosuid option.
Disable remote root login on each host in the cluster by modifying the SSH
configuration file as
follows: /etc/ssh/sshd_config:
PermitRootLogin no #disabled
For the change to take effect, restart the SSH
daemon.On
Linux® (RHEL 7 and
above):
systemctl restart sshd
On other Linux platforms:
/etc/init.d/sshd restart
On AIX®
stopsrc -s sshd
startsrc -s sshd
About this task
This task describes how to configure db2locssh for installing the
Db2
pureScale feature without enabling remote root
login and password less SSH.
Procedure
To configure db2locssh:
- Create a non-root user ID (db2sshid) on all the hosts with
same UID and GID. The db2sshid is used to establish a Secure Shell
(SSH) network protocol between a local host and a remote host.
Note: At any time, you can have only one non-root user (db2sshid)
configured for db2locssh.
- Run the setup_db2locssh script from
the media path as a root user on all the hosts.
./setup_db2locssh <db2sshid>
The
utility is located under <media path>/db2/<platform>/utilities
.
The script generates two pairs of keys as follows:
- Pair of RSA public and private keys for the root: root@host.priv and root@host.pub
under /var/db2/db2ssh
- Pair of RSA public and private keys for SSH user: id_rsa and
id_rsa.pub under $HOME/.ssh where $HOME is the home
directory of db2sshid.
- Exchange the root public keys root@host.pub that are generated under
/var/db2/db2ssh on all the hosts. After this exchange, every host has the
public keys of all other hosts under /var/db2/db2ssh.
For example, if hostA and hostB are the names of the hosts, exchange the root public keys as follows:
- Copy the root public key of hostA, root@hostA.pub to hostB under the
location /var/db2/db2ssh
- Copy the root public key of hostB, root@hostB.pub to hostA under the
location /var/db2/db2ssh
-
As an SSH user (db2sshid), create a file that is called authorized_keys
under $HOME/.ssh where $HOME is the home directory of db2sshid. Append the
contents of each public key id_rsa.pub from each host to the
authorized_keys file.
- Copy the authorized_keys file to the $HOME/.ssh directory
on each host where, $HOME is the home directory of db2sshid.
- Run the chmod 644 authorized_keys command
to change the permission of authorized keys on all the hosts.
- Log in to each host as an SSH user (db2sshid) and SSH to
all the hosts to confirm whether you are able to communicate across
all the hosts without a password prompt.
For example,
if there are two hosts, hostA and hostB, do as follows:
- On hostA as an SSH user (db2sshid):
ssh <hostA>
ssh <hostB>
- On hostB as an SSH user (db2sshid):
ssh <hostA>
ssh <hostB>
Note: Authenticate the following items to populate the
known_hosts
file with the
necessary fields:
- The long and short qualified hostnames.
- The long and short qualified netnames.
- Run the remote commands to verify the db2locssh configuration.
For example, if there are two hosts hostA and hostB, do
as follows:
- On hostA as a root user, run the remote command:
/var/db2/db2ssh/db2locssh
hostB 'hostname'
The command output is hostB.
/var/db2/db2ssh/db2locssh
hostA 'hostname'
The command output is hostA.
- On hostB as a root user, run the remote command:
/var/db2/db2ssh/db2locssh
hostB 'hostname'
The command output is hostB.
/var/db2/db2ssh/db2locssh
hostA 'hostname' .
The command output is hostA.
If the db2locssh command fails, perform the following checks:
- Check whether you run the db2locssh /var/db2/db2ssh/db2locssh command
as a root user.
- As a non-root SSH user (db2sshid), confirm
if you are able to SSH to all the hosts without a password prompt.
- Check whether the clocks across the hosts are synchronized.
- Check
operating system logs for more information on the db2locssh command failure.
- If you are unable to resolve the problem, contact IBM®
support.