Authentication Options for Oracle Fleet Patching and Provisioning Operations
Some RHPCTL commands show authentication choices as an optional parameter.
Specifying an authentication option is not required when running an RHPCTL command on an Oracle Fleet Patching and Provisioning Client, nor when running an RHPCTL command on the Oracle Fleet Patching and Provisioning Server and operating on an Oracle Fleet Patching and Provisioning Client, because the server and client establish a trusted relationship when the client is created, and authentication is handled internally each time a transaction takes place. (The only condition for server/client communication under which an authentication option must be specified is when the server is provisioning a new Oracle Grid Infrastructure deployment—in this case, the client does not yet exist.)
rhpclient
-less target, you must provide the Oracle
Fleet Patching and Provisioning Server with information allowing it to authenticate with the
rhpclient
-less target. The options are as follows:
-
Provide the
root
password (onstdin
) for therhpclient
-less target -
Provide the
sudo
user name,sudo
binary path, and the password (stdin
) forrhpclient
-less target -
Provide a password (either
root
orsudouser
) non-interactively from local encrypted store (using the-cred
authentication parameter) -
Create credentials using the
rhpctl add credentials
command and provide credentials using the-cred
option. -
Provide a path to the identity file stored on the Oracle Fleet Patching and Provisioning Server for SSL-encrypted passwordless authentication (using the
-auth sshkey
option)
Passwordless Authentication Details
rhpclient
-less targets over SSH using a key pair. To enable this option,
you must establish user equivalence between the crsusr
on the Oracle Fleet
Patching and Provisioning Server and root
or a sudouser
on
the rhpclient
-less target.
Note:
The steps to create that equivalence are platform-dependent and so not shown in detail here. For Linux, see commandsssh-keygen
to be run on the rhpclient
-less target and
ssh-copy-id
to be run on the Oracle Fleet Patching and Provisioning
Server.
crsusr
on the Oracle Fleet Patching and Provisioning Server and
root
on the rhpclient
-less target,
nonRHPClient4004.example.com
, and saved the key information on the Oracle
Fleet Patching and Provisioning Server at /home/oracle/rhp/ssh-key/key
-path
, then the following command will provision a copy of the specified gold
image to the rhpclient
-less target with passwordless
authentication:$ rhpctl add workingcopy -workingcopy db12102_160607wc1 -image db12102_160607
-targetnode nonRHPClient4004.example.com -path /u01/app/oracle/12.1/rhp/dbhome_1
-oraclebase /u01/app/oracle -auth sshkey -arg1 user:root -arg2
identity_file:/home/oracle/rhp/ssh-key/key
crsusr
on the Oracle Fleet Patching and
Provisioning Server and a privileged user (other than root
) on the
rhpclient
-less target, the -auth
portion of the command
would be similar to the
following:-auth sshkey -arg1 user:ssh_user -arg2 identity_file:path_to_identity_file_on_RHPS
-arg3 sudo_location:path_to_sudo_binary_on_target