Creating the 3-Site Administrator for Metro Mirror configurations

Edit online

After you generate SSH keys for authentication, you must create a user with the 3-site administrator role on all systems in the 3-site configuration. This user must be the same across all the systems and use the public SSH key that was generated on the 3-Site Orchestrator for authentication.

The 3-Site Administrator role allows a user with those privileges to run specific commands to configure and manage 3-site replication between the systems that are defined in the 3-site configuration. After you create the user with 3-Site Administrator role, you must add the systems as known hosts on the 3-Site Orchestrator host.

Using the management GUI

To create the 3-Site Orchestrator user, complete these steps:
  1. In the management GUI, select Access > Users by Groups > Create User Group.
  2. On the Create User Group page, enter a name of the user group, and select 3-Site Administrator for the role.
  3. Click Create.
  4. In the list of user groups, select the user group that you created and select Create Users.
  5. On the Create Users page, enter the name of the user, and select Local.
  6. To connect to the management GUI with this user, enter and confirm a password.
  7. To add the SSH key, click Browse to locate the public SSH key that was generated for 3-Site Orchestrator and copied to the local workstation.
  8. Click Create.
  9. Repeat these steps on each system in the configuration. Ensure that you create the same user on each system.

After you create the user on each system in the 3 site configuration, log on to the 3-Site Orchestrator host and complete these steps:

  1. On the 3-Site Orchestrator host, enter the following commands to create passwordless Secure Shell (SSH) connections to the systems:
    ssh-keyscan <Master system IP address> >> /root/.ssh/known_hosts
    ssh-keyscan <Auxnear system IP address> >> /root/.ssh/known_hosts
    ssh-keyscan <Auxfar system IP address> >> /root/.ssh/known_hosts
    Note: If a operation was keyscan completed on the same IP address, old hostnames must be removed.

Verify the SSH authentication between the 3-Site Orchestrator host and each system by completing these steps:

  1. On the 3-Site Orchestrator host, open an SSH session to each of the systems in the 3-site configuration and run a basic command. For example,
    <root@ORCH-HOST>#ssh username@systemname svcinfo lssystem
    where username is the name of the user and systemname is the system name for the system at one of the sites in the configuration.
  2. If results return from the command, use this command with the corresponding system names at the other sites to verify the SSH connections. If errors occur, the most likely cause for issues is that the systems were not included in the known host. Verify the known host list to ensure that the systems are included.

Using the command-line interface

To create the 3-Site Orchestrator user, complete these steps:

  1. In the command-line interface, enter the following command on the system at the master site:
    mkusergrp -name 3SiteAdmin -role 3SiteAdmin

    This command creates the user group, 3SiteAdmin with the associated role, 3SiteAdmin, which gives the user in this group privileges to access and configure 3-Site Orchestrator objects.

  2. To create the 3-Site Administrator user and add it to the 3SiteAdmin user group, enter the following command: 
    mkuser -name tsuser -usergrp 3SiteAdmin -password xxxxxxx
    where tsuser is the name of the user that you are creating in the 3SiteAdmin user group.
  3. To update the user to include the SSH public key for authenticating this user to the 3 Site Orchestrator, enter the following command: 
    chuser -keyfile /dumps/id_rsa_pub -gui tsuser

    where id_rsa_pub key is public part of the key pair that is generated on the host by using sshkey-gen tool.

  4. After you create the user on each system in the 3 site configuration, log on to the 3-Site Orchestrator host and complete these steps:
    1. On the 3-Site Orchestrator host, enter the following commands to create passwordless Secure Shell (SSH) connections to the systems:
      ssh-keyscan <Master system IP address> >> /root/.ssh/known_hosts
      ssh-keyscan <Auxnear system IP address> >> /root/.ssh/known_hosts
      ssh-keyscan <Auxfar system IP address> >> /root/.ssh/known_hosts
      Note: If a operation was keyscan completed on the same IP address, old hostnames must be removed.
  5. Verify the SSH authentication between the 3-Site Orchestrator host and each system by completing these steps:
    1. On the 3-Site Orchestrator host, open an SSH session to each of the systems in the 3-site configuration and run a basic command. For example,
      <root@ORCH-HOST>#ssh username@systemname svcinfo lssystem
      where username is the name of the user and systemname is the system name for the system at one of the sites in the configuration.
    2. If results return from the command, use this command with the corresponding system names at the other sites to verify the SSH connections. If errors occur, the most likely cause for issues is that the systems were not included in the known host. Verify the known host list to ensure that the systems are included.