Setting up passwordless SSH and sudo access

You can set up passwordless SSH and sudo access so that you only need issue configuration commands on one node in the HA group. (Setting up such access is optional, alternatively you can run commands on each node.)

About this task

To set up passwordless SSH you must configure the mqm id on each node, then generate a key on each node for that user. You then distribute the keys to the other nodes, and test the connection to add each node to the list of known hosts. Finally you lock down the mqm id, then create sudo access for the mqm id on each node.

The main advantage of passwordless SSH is that you can co-ordinate RDQM actions, such as the creation and deletion of the HA group and of HA Queue managers, from one node. Using passwordless SSH does require the set up described in this topic, and does have some security implications:

Anyone who can gain access to the mqm user on one node, can SSH over to the same user on the other two nodes (this is mitigated by removing the password and locking the ID as suggested at the end of this procedure).
There are general security principles around the protection of the private key.
SSH communication is performed on the HA primary and alternative interfaces of the HA nodes.

The following RDQM commands are affected by the configuration of passwordless SSH, and are impacted by its absence:

crtmqm -sx: without passwordless SSH, you have to run crtmqm -sxs on your two secondary nodes.
dltmqm: without passwordless SSH, you have to issue the command on all HA nodes.
rdqmadm -c or rdqmadm -u: without passwordless SSH, you have to run the command on all HA nodes.

You can remove the passwordless SSH set up and sudo access at the end of this procedure, if required. You can delete the mqm auth key on your nodes, or, if you want to be able to use the set up again, you can disable the public auth SSH.

Note: The instructions assume that you are defining an HA group with separate primary, alternate, and replication interfaces, and you therefore define passwordless SSH access over the primary and alternate interfaces. If you plan to configure a system with a single IP address, then you define passwordless SSH access over that single interface. If you plan to configure a system with two IP addresses for HA_Primary and HA_Replication, the ssh must be configured for the HA_Primary address.

You can then create sudo access for the mqm id on each node.

Procedure

To set up passwordless SSH:
1. On each of the three nodes, complete the following steps to set up the mqm user and generate an SSH key:
  1. Change the mqm home directory to /home/mqm:
```
usermod -d /home/mqm mqm
```
  2. Create the /home/mqm directory:
```
mkhomedir_helper mqm
```
  3. Add the mqm password:
```
passwd mqm
```
  4. Run the interactive shell as mqm:
```
su mqm
```
  5. Generate the mqm authentication key:
```
ssh-keygen -t rsa -f /home/mqm/.ssh/id_rsa -N ''
```
2. On each of the three nodes, complete the following steps to add that node's key to the other two nodes and test the connections for each nodes primary and (if used) alternate addresses:
  1. Add the key to the remote nodes:
```
ssh-copy-id -i /home/mqm/.ssh/id_rsa.pub remote_node1_primary_address
ssh-copy-id -i /home/mqm/.ssh/id_rsa.pub remote_node1_alternate_address
ssh-copy-id -i /home/mqm/.ssh/id_rsa.pub remote_node2_primary_address
ssh-copy-id -i /home/mqm/.ssh/id_rsa.pub remote_node2_alternate_address
```
  2. Check passwordless SSH and update known_hosts for remote nodes:
```
ssh remote_node1_primary_address uname -n
ssh remote_node1_alternate_address uname -n
ssh remote_node2_primary_address uname -n
ssh remote_node2_alternate_address uname -n
```
    For each connection, you are prompted to confirm that you want to proceed. Confirm for each one to update the known_hosts. You must complete this before you attempt to configure the HA group using passwordless SSH.
  3. Exit the interactive shell as mqm:
```
exit
```
3. On each node, as root, complete the following steps to remove the mqm password and lock the id:
  1. Remove the mqm password:
```
passwd -d mqm
```
  2. Lock mqm:
```
passwd -l mqm
```

On each node, as root, set up sudo access for the mqm user by creating the file /etc/sudoers.d/mqm containing the following text:

mqm ALL=(root) NOPASSWD: /opt/mqm/bin/crtmqm, /opt/mqm/bin/dltmqm, /opt/mqm/bin/rdqmadm, /opt/mqm/bin/rdqmstatus, /opt/mqm/bin/rdqmdr

Optionally, when you have created your RDQM configuration, remove the passwordless SSH set up by reversing these steps as follows:
1. Remove /etc/sudoers.d/mqm on all nodes.
2. Unlock the mqm user (if desired).
3. Remove the public/private keys from the nodes.
4. Remove entry from authorized_keys file.