| Oracle® Clinical Installation Guide Release 4.6.2 E18817-04 |
|
|
PDF · Mobi · ePub |
| Oracle® Clinical Installation Guide Release 4.6.2 E18817-04 |
|
|
PDF · Mobi · ePub |
The Parameterized SUBmission process (PSUB) schedules jobs, reports, and batch processing for Oracle Clinical.
This chapter describes how to set up a UNIX or Windows server to enable the Oracle Clinical PSUB process. On UNIX servers, you must set up the Secure Shell (ssh) before starting PSUB.
This chapter includes the following topics. The first five topics apply to UNIX only.
Section 8.2, "Setting Up Secure Shell for the rxcprod User (UNIX Only)"
Section 8.3, "Setting Up Oracle Clinical PSUB Users (UNIX Only)"
The PSUB daemon submits 3GL and PL/SQL jobs (C programs like Batch Validation and PL/SQL programs like Study Unfreeze) on a UNIX server. PSUB is run as rxcprod user. When a user submits a job from Oracle Clinical, PSUB creates a process on behalf of the user on the same machine and runs the program.
Beginning with Oracle Clinical 4.6.2, PSUB uses a Secure Shell (ssh) execution service for the rxcprod account to run job requests on behalf of other users who submit jobs with the ssh command or schedule jobs with the at command.
The Secure Shell protocol is designed to create encrypted communications between hosts. In addition to remote shell logins, the Secure Shell protocol allows ssh connections between the accounts of the same name on either system without requiring a password.
Secure Shell replaces Remote Shell (rsh, remsh, and rlogin) used in earlier Oracle Clinical releases.
By default, Secure Shell is installed when the UNIX operating system, such as Oracle Enterprise Linux, Oracle Solaris, and HP-UX Itanium, is installed.
This section describes how to set up Secure Shell on UNIX for RSA-based authentication, which uses a public/private key pair for authentication purposes.
The set up for the public/private key authentication is as follows:
Save the public key in each PSUB user's home directory on the PSUB server machine that they want to access through Secure Shell.
Keep the private key under the rxcprod account on the PSUB server machine.
When the Secure Shell daemon on the PSUB server receives an authentication request from a client, it checks whether the public key is present in the user's home directory. If present, Secure Shell challenges the client with a random string. The client then uses the user's private key to sign the random string, and sends the signature back to the server. The server can then check the validity of the signature using the user's public key, and therefore, authenticating the connection.
To set up Secure Shell and public/private key authentication:
Log in to the Oracle Clinical UNIX server as the rxcprod user.
Use ssh-keygen to create a password-less set of identity keys:
ssh-keygen -t rsa -N ''
The system prompts for the file into which the set of identity keys is saved.
Press Return to accept the default location. This process creates two files in the RXCPROD_HOME directory:
~/.ssh/id_rsa — Contains the private key that represents your identity on that particular machine. Note that the private key is neither world nor group readable. You should never transfer the private key from the machine or change its modes.
~/.ssh/id_rsa.pub — Contains the public key, which is world readable. Secure Shell and other programs can use the public key to encrypt messages that only you can decrypt using the private key. The -N ' ' argument to the ssh-keygen command specifies that no passwords are associated with the public keys.
Before setting up the PSUB user, make sure that any user account that will run PSUB jobs uses the C Shell (csh). The default shell gets set up when you create the user account.
To set up a PSUB user:
Log in to the Oracle Clinical UNIX server as a PSUB user.
For example, log in as the guest1 OS user for the ops$guest1 Oracle Clinical account.
Navigate to the GUEST1_HOME directory.
Create the .ssh directory if it does not exist, and set the permission to 700:
mkdir .ssh chmod 700 .ssh cd ~/.ssh
Append the contents of the id_rsa.pub file located in the RXCPROD_HOME/.ssh directory to the authorized_keys file located in the GUEST1_HOME/.ssh directory. For example:
cat /tmp/id_rsa.pub >> authorized_keys
You may need to create the authorized_keys file if it does not exist. To do this, user rxcprod must copy the id_rsa.pub file to the /tmp directory and make the file world readable. Then, user guest1 can read the file from there. Make sure you remove the copy from /tmp when you are done.
Change the permission of the authorized_keys file to 600:
chmod 600 authorized_keys
Note:
You must repeat this procedure for each user who needs to run PSUB.Before you start up the PSUB process, test that you configured Secure Shell properly for your PSUB users.
To verify your configuration, run the following tests from the rxcprod account:
You can validate whether a PSUB user can authenticate using the public keys (no password). You must run this test from the rxcprod account.
For example, to validate whether PSUB user ops$jjsmith can authenticate using the public keys, enter the following command:
ssh -n -l jjsmith $HOST 'ls -arlt'
In addition, Secure Shell provides mutual machine-level (IP address) authentication. This authentication is done by using public/private keys that are created when Secure Shell is installed on a given machine.
When connecting to the same local machine using Secure Shell for the first time, Secure Shell displays a set of messages and prompts, including a unique key. For example:
The authenticity of host 'server_name.us.oracle.com (IP_address)' can't be established.
RSA key fingerprint is 8a:0d:66:de:53:7c:f1:16:99:c3:63:97:4c:66:65:c7.
Are you sure you want to continue connecting (yes/no)?
Note:
Save a copy of the RSA key fingerprint. You will need this information to test the fingerprint of the public key.Your Secure Shell client wants to make sure that you are connecting to the server you intended, and not to some other server playing man-in-the-middle. When you answer yes to the question, Secure Shell saves the public key presented by the server into your known_hosts file, proceeds with the connection, and displays the following message:
Warning: Permanently added 'server_name.us.oracle.com, IP_address' (RSA) to the list of known hosts.
Once you establish a connection, check the fingerprint of the public key of the server, which resides somewhere on its disk.
To check the RSA key fingerprint:
Enter the following command:
-sh-3.2$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
The server returns the unique RSA key fingerprint found in the /etc/ssh/ssh_host_rsa_key.pub file. For example:
2048 8a:0d:66:de:53:7c:f1:16:99:c3:63:97:4c:66:65:c7
Verify that this key matches the key returned when you validated the IP address. (See Section 8.4.1.)
If the keys match, then the server's public key that is saved in the known_hosts file is good. From now on, the system will not prompt for confirmation before connecting to the server.
If the keys do not match, contact your system administrator.
Note:
If the PSUB user's home directory or the rxcprod home directory has 777 permissions, then Secure Shell will not work.To use the at command to schedule jobs on behalf of another user, the rxcprod user must be listed in the at.allow file.
To edit the at.allow file:
The PSUB process schedules reports and batch processing. Note that:
You start one PSUB process for each Oracle database instance supporting an Oracle Clinical installation.
Each database instance can have only one PSUB process.
You must locate PSUB on the same computer as the database installation.
Note:
For information on starting PSUB automatically on UNIX and Windows, see the Oracle Clinical Administrator's Guide.To start the PSUB process on UNIX:
Log in to the Oracle Clinical UNIX server as the rxcprod user. Note that you must log in as rxcprod to start the PSUB process.
Set up the environment:
p1=database_name p2=code_environment . opa_setup
For example:
p1=prod p2=462 . opa_setup
Start the PSUB process:
start_psub database_name code_environment
For example:
start_psub prod 462
To change the startup of the PSUB service on Windows:
Log in as Administrator.
Set the PSUB service parameters:
In the Start menu, navigate to Administrative Tools, then Services.
From the list of services in the Services dialog box, double-click the name of the database for this service. It is in this form:
PSUB Service database
For Startup type, select Manual.
Click the Log On tab.
For Log On As, select This account and then enter RXCPROD in the field.
(The task of creating the RXCPROD account occurs during the installation of the Database Server. See Section 3.2.1, "Create the RXCPROD Account" for more information.)
In the Password and Confirm Password fields, enter the RXCPROD password.
Click OK to close the dialog box.
Exit from the Services dialog box.
Log off this Administrator session.
To be able to start PSUB on Windows, the OSAUTH_PREFIX_DOMAIN setting in the Windows System Registry must be set to FALSE. Otherwise, the operating system authentication prefix is OPS$hostname\ instead of OPS$.
The OSAUTH_PREFIX_DOMAIN registry setting is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\KEY_OraDb11g_home1
where OraDb11g_home1 is the Home name of your Oracle Database 11g Release 2 (11.2.0.2) Patch Set 1 installation.
To start PSUB as a Windows process:
Log in to the computer as user RXCPROD. (You set up the PSUB service to start as the RXCPROD user, but in Windows you can start the service when logged on as another user.)
Set the PSUB service parameters:
In the Start menu, navigate to Administrative Tools, then Services.
From the list of services in the Services dialog box, double-click the name of the database for this service. It is in this form:
PSUB Service database
Enter values for the Log On parameters:
database code_environment [verbose | noverbose] value-of-RXC_ROOT
For example: prod 462 verbose c:\\opapps\\oc\\462
Note:
If your entry requires a backslash (\), you must enter two (\\). Alternatively, you can enter the path using single forward slashes, for example, c:/OPA_HOME/oc/46.Click Start.
Exit from the Services dialog box.
To test your PSUB installation:
Open Oracle Clinical.
Submit a 3GL job such as Batch Validation or a PL/SQL job such as Study Unfreeze.
Verify that Oracle Clinical creates the log and output files in the user's log directory.
If you encounter problems or errors, review the messages in the PSUB log files created in the following directory:
If the PSUB user's home directory or the rxcprod home directory has 777 permissions, then Secure Shell will not work.
For PSUB to work correctly for a UTF8 character set database, the opa_settings file must have the following setting:
UNIX db_env_setting:database:NLS_LANG:american_america.utf8
If you do not have a UTF8 character set database, you can use these character sets:
american_america.us7ascii
american_america.we8iso8859p1
Windows Set NLS_LANG=american_america.utf8
If you do not have a UTF8 character set database, you can use these character sets:
american_america.us7ascii
american_america.we8iso8859p1
You can customize the PSUB process as follows:
Automatic Startup — By default, the PSUB service does not start automatically when you restart a server computer. However, you can configure the PSUB service to start automatically.
Job Numbering — You can change Oracle Clinical's default job numbering algorithm.
For more information about managing and customizing the PSUB process, see the Oracle Clinical Administrator's Guide.
|
 Copyright © 1996, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
