Starting from version 11.5.6, you must set up SSH keys to connect between nodes without using a password.
Before you begin
In a partitioned database system, each database partition server must have the authority to
perform remote commands on all the other database partition servers participating in an instance.
You can grant this authority by adding each ssh public key to the authorized keys file of each
machine. Because the home directory for the instance is on the shared Db2® home file system,
only one pair of keys is required for the instance.
About this task
This topic describes how to enable execution of remote commands using SSH. You can also use rsh
to enable execution of remote commands. For more information, refer to Setting up a partitioned database environment.
Use of rsh is not recommended because it does not meet modern security standards. For information
on using rsh, refer to Enabling the execution of remote commands using
rsh (Linux and UNIX).
Procedure
- Set up public key-based authentication.
Public key-based authentication enables a single user ID to log in as that same user ID on each
host in the instance without being prompted for a password. If the user ID has a
~/.ssh directory, ensure that it does not allow group or other write access.
Ensure that the home directory for the user does not allow group or other write access. This
situation is considered a security exposure and if the directory permissions are not restrictive
enough, public key-based authentication will not be allowed through SSH.
Having an existing ~/.ssh directory is not required, as using the
ssh-keygen command creates the necessary ~/.ssh file
directory and sets up the appropriate access.
From your
~/.ssh directory, generate a public key/private key pair. For
example, to generate ssh key using RSA:
ssh-keygen -t rsa
When prompted for input, press Enter to accept the default empty value.
Ensure that no passphrase is entered, otherwise you will be asked to do so each SSH
authentication attempt. The Db2 database does not
allow remote shell utilities to prompt for additional verification.
This action generates two new files in the ~/.ssh directory,
id_rsa (the private key) and id_rsa.pub (the public key)
for RSA encryption.
Note: Other encryption types are also supported. However, it is recommended to use RSA encryption as
it is more secure.
- Once generated, append the contents of the public key to a single file called
authorized_keys.
Then, copy the
authorized_keys file to the user's ~/.ssh directory on
each host and run the chmod 644 authorized_keys command from the Db2 instance owner user
ID.