Installing and setting up OpenSSH

This task describes how to obtain and setup Open Secure Shell (OpenSSH).

Before you begin

Log in as root user and uncomment the entries in the ssh configuration files on each host in the cluster.

File: /etc/ssh/ssh_config 
  Port 22
  Protocol 2,1

File: /etc/ssh/sshd_config
  PermitRootLogin yes
  PasswordAuthentication no

About this task

You need to perform these steps on each host you want to participate in the Db2® pureScale® instance.

For Linux® users, OpenSSH is installed by default on SLES 10 SP3 or later.

Open Secure Shell (OpenSSH) is an open source version of the SSH protocol suite of network connectivity tools. The tools provide shell functions that are authenticated and encrypted. A shell is a command language interpreter that reads input from a command-line string, stdin, or a file. The steps in this topic allows you to connect to a remote server through ssh without having to enter a password.

For the Db2 pureScale Feature, you need to set up passwordless SSH access for the root user. The instance owner requires passwordless SSH access, however, the Db2 installation processes set this up if the instance owner does not have it setup. The following steps outline how to set up passwordless SSH access for the root user.

Note: The instance owner must have the rlogin attribute set to the default value of TRUE.

Procedure

  1. AIX® operating systems only: If OpenSSH is not available on your system, you can obtain it from the latest AIX Expansion Pack and Web Download Pack (http://www-03.ibm.com/systems/power/software/aix/solutions.html). The OpenSSH fileset includes manual pages with openssh.man.en_US. On the Internet, openBSD provides documentation at http://www.openssh.org/manual.html.
  2. AIX operating systems only: Install OpenSSH. The default setting on AIX for OpenSSH is public key that is enabled.
  3. Setup public key-based authentication. Public key-based authentication enables a single user ID to log in as that same user ID on each host in the instance without being prompted for a password. Public key-based authentication must be enabled for the root ID to use passwordless SSH.

    If the user ID has a ~/.ssh directory, ensure that it does not allow group or other write access. Ensure that the home directory for the user does not allow group or other write access. SSH views this situation as a security exposure and if the directory permissions are not restrictive enough, it does not allow public key-based authentication.

    An existing ~/.ssh directory is not required as the ssh-keygen command creates this directory if it does not exist and set up the appropriate access.

    From your ~/.ssh directory, generate a public key/private key pair. For example, to generate ssh key using RSA:

    $ ssh-keygen -t rsa
    Whenever prompted for input, press Enter to accept the default value. (Ensure that no passphrase is entered, or else SSH challenges each authentication attempt, expecting the same passphrase as a response from the user. However, the Db2 product does not allow remote shell utilities to prompt for additional verification.) This action generates two new files in the ~/.ssh directory, id_rsa (the private key) and id_rsa.pub (the public key) for RSA encryption.
    Note: Other encryption types are also supported. However, it is recommended to use RSA encryption as it is more secure.
  4. You must generate the public key on each host and append the contents of each public key from each host to a single file called authorized_keys. Then, copy the authorized_keys file to the user's $HOME/.ssh directory on each host and run the chmod 644 authorized_keys command.
  5. For Db2 pureScale clusters using Infiniband or RoCE networks, during concurrent RDMA connectivity validation, multiple SSH connections are used to spawn server and client processes for the adapters. The maximum number of SSH connections spawned at a given time is limited by the MaxStartups parameter in the /etc/ssh/sshd_config file. The recommendation is to set this value to "50" so that there are sufficient SSH connections at maximum computed concurrency while ensuring that other SSH connections on the host are not impacted.
    To set this value, add the following in the /etc/ssh/sshd_config file on each host in the Db2 pureScale cluster:
    MaxStartups 50
    For the change to take effect, restart the SSH daemon by running the following, based on your operating system:
    • On Linux (RHEL 7 / SLES 12 and above):
      systemctl restart sshd
    • On older Linux:
      /etc/init.d/sshd restart
    • On AIX:
      stopsrc -s sshd 
       startsrc -s sshd
    Note: The computed concurrency is capped to a portion of the lowest MaxStartups value configured amongst the hosts in the Db2 pureScale cluster.