You can configure db2locssh so that you can install the Db2®
pureScale® feature without enabling remote root
login and passwordless SSH.
Before you begin
Disable remote root login on each host in the
cluster by modifying the SSH configuration file as follows:
/etc/ssh/sshd_config:
PermitRootLogin no #disabled
For
the change to take effect, restart the SSH
daemon.On
Linux® (RHEL 7 and
above):
systemctl restart sshd
On other Linux platforms:
/etc/init.d/sshd restart
On AIX®
stopsrc -s sshd
startsrc -s sshd
About this task
This task describes how to configure db2locssh for installing the
Db2
pureScale feature without enabling remote root
login and password less SSH.
Procedure
To configure db2locssh:
- Create a non-root user ID (db2sshid) on all the hosts with
same UID and GID. The db2sshid is used to establish a Secure Shell
(SSH) network protocol between a local host and a remote host.
Note: At any time, you can have only one non-root user (db2sshid)
configured for db2locssh.
- Run the setup_db2locssh script from
the media path as a root user on all the hosts.
./setup_db2locssh <db2sshid>
The
utility is located under <media path>/db2/<platform>/utilities.
The script generates two pairs of keys as follows:
- Pair of RSA public and private keys for the root: root@host.priv and root@host.pub
under /var/db2/db2ssh
- Pair of RSA public and private keys for SSH user: id_rsa and
id_rsa.pub under $HOME/.ssh where $HOME is the home
directory of db2sshid.
- Exchange the root public keys, root@host.pub that
are generated under /var/db2/db2ssh on all the
hosts. After this exchange every host has the public keys of all other
hosts under/var/db2/db2ssh.
For
example, if hostA and hostB are the names of the hosts, exchange the
root public keys as follows:
- Copy the root public key of hostA, root@hostA.pub to
hostB under the location /var/db2/db2ssh
- Copy the root public key of hostB, root@hostB.pub to
hostA under the location /var/db2/db2ssh
-
As an SSH user (db2sshid), create a file that is called authorized_keys
under $HOME/.ssh where $HOME is the home directory of db2sshid. Append the
contents of each public key id_rsa.pub from each host to the
authorized_keys file.
- Copy the authorized_keys file to the $HOME/.ssh directory
on each host where, $HOME is the home directory of db2sshid.
- Run the chmod 644 authorized_keys command
to change the permission of authorized keys on all the hosts.
- Log in to each host as an SSH user (db2sshid) and SSH to
all the hosts to confirm whether you are able to communicate across
all the hosts without a password prompt.
For example,
if there are two hosts, hostA and hostB, do as follows:
- On hostA as an SSH user (db2sshid):
ssh <hostA>
ssh <hostB>
- On hostB as an SSH user (db2sshid):
ssh <hostA>
ssh <hostB>
Note: Authenticate both the short and fully qualified hostnames,
to populate the known_hosts with both the names.
- Run the remote commands to verify the db2locssh configuration.
For example, if there are two hosts hostA and hostB, do
as follows:
- On hostA as a root user, run the remote command:
/var/db2/db2ssh/db2locssh
hostB 'hostname'
The command output is hostB.
/var/db2/db2ssh/db2locssh
hostA 'hostname'
The command output is hostA.
- On hostB as a root user, run the remote command:
/var/db2/db2ssh/db2locssh
hostB 'hostname'
The command output is hostB.
/var/db2/db2ssh/db2locssh
hostA 'hostname' .
The command output is hostA.
If the db2locssh command fails, perform the following checks:
- Check whether you run the db2locssh /var/db2/db2ssh/db2locssh command
as a root user.
- As a non-root SSH user (db2sshid), confirm
if you are able to SSH to all the hosts without a password prompt.
- Check whether the clocks across the hosts are synchronized.
- Check operating system logs for more information on db2locssh
command failure.
- Contact IBM® support, if you are unable to resolve the problem.