1. Quick Installation for Release 1.5
  2. Prerequisites
  3. Set up SSH Key-based Authentication

Set up SSH Key-based Authentication

Set up and verify SSH key-based authentication from the operator node to the Kubernetes nodes. Do not set a passphrase when creating the key pair as this will prevent automatic processes from running seamlessly. Take appropriate steps to ensure the private key remains secure.

Set up SSH key-based authentication for the user that is to run the Platform CLI (olcnectl) installation commands to enable login from the operator node to the following nodes:

  • Each Kubernetes node.
  • The Platform API Server node.

The following steps demonstrate one way of setting up the SSH key-based authentication:

  1. Generate the private and public key pair:

    On the operator node, run ssh-keygen as the user that you use to run olcnectl commands. Do not create a passphrase for the key (press <Enter> when prompted for a passphrase). For example: 

    ssh-keygen

    Output similar to the following is displayed:

    Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa):<Enter>
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
...

    In this example and all subsequent steps, the oracle user is used. Your username may differ.

  2. Verify the location of the private and public key pair:

    Verify the private and public key pair have been created at the location reported in the ssh-keygen command output: 

    ls -l /home/oracle/.ssh/
    ...
-rw-------. 1 oracle oracle 2643 Jan 10 14:55 id_rsa
-rw-r--r--. 1 oracle oracle  600 Jan 10 14:55 id_rsa.pub
...

    The public key is indicated by the file with the “.pub” extension.

  3. Set up the public key on the target nodes:

    Add the contents of the public key to the $HOME/.ssh/authorized_keys file on each target node for the user for which the key-based SSH is being set up. The following are possible ways of doing this:

    • Run the ssh-copy-id Command:

      For systems with password authentication enabled, you have the option of running the ssh-copy-id command on the operator node. The syntax is as follows: 

      ssh-copy-id user@host

      When prompted you enter the user’s password for the host. Once the command successfully completes, the public key’s contents will have been added to the copy of the user’s $HOME/.ssh/authorized_keys file on the remote host.

      The following example shows how command ssh-copy-id can be used to add the public key to the authorized_keys file for user oracle on host 192.0.2.255 : 

      ssh-copy-id oracle@192.0.2.255

      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/oracle/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

oracle@192.0.2.255's password: 

Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'oracle@192.0.2.255'"and check to make sure that only the key(s) you wanted were added.

    • Manually setting the authorized_keys file

      If you do not have access to the ssh-copy-id command or are unable to access the system remotely with a password, you must populate the $HOME/.ssh/authorized_keys file on the target nodes manually. The following steps show how this can be done:

      1. On the operator node, open the public key you have created in a file. Continuing with our example we would do this as follows: 

        cat /home/oracle/.ssh/id_rsa.pub
        ssh-rsa AQRayc2EAAAABIwAAAQEA6OabJhWABsZ4F3mcjEPT3sxnXx1OoUcvuC... 
...OEKX9Kp9QWH+IfASI8q09xQ= oracle@svr-operator-node

      2. Copy the public key you have created.

      3. Log in to one of the target servers.

      4. Confirm the location of the $HOME/.ssh/authorized_keys file belonging to the user whose key-based access you are setting up. For example:
        ls /home/oracle/.ssh/authorized_keys 
        /home/oracle/.ssh/authorized_keys

      5. Append the public key to the authorized_keys file.

      6. Ensure that the permissions of the user's $HOME/.ssh and $HOME/.ssh/authorized_keys file are set correctly:
        • $HOME/.ssh: The recommended permissions are read/write/execute for the user, and not accessible by others, as shown in the following example output: 
          drwx------. 2 oracle oracle 66 Jan 11 17:33 /home/oracle/.ssh
        • $HOME/.ssh/authorized_keys: The recommended permissions are read/write for the user, and not accessible by others, as shown in the following example output:
          -rw-------. 1 oracle oracle 1004 Jan 11 17:36 /home/oracle/.ssh/authorized_keys

      7. Repeat the steps for the remaining target nodes.

  4. Verify your user has SSH key-based access from the operator node:

    On the operator node, use ssh to connect to each of the other nodes and confirm login succeeds without being prompted for a password.

    For example, if the user in our case is oracle, and one of the target nodes is host 192.0.2.255, we would confirm key-based SSH access by running the ssh command on the operator node as follows: 

    ssh oracle@192.0.2.255

For more information on setting up SSH key-based authentication, see Oracle Linux: Connecting to Remote Systems With OpenSSH