EBS R12.2: ADOP Online Patching - Set Up Secure Shell(ssh) on Application Tier Nodes

In EBS R12.2.x, ADOP online patching cycle in a muti-node environment will fail if the passwordless ssh is not enabled.

In a multi-node environment, adop commands are invoked by a user on the primary node. Internally, adop uses Secure Shell (ssh) to automatically execute required patching actions on all secondary nodes. You must set up passwordless ssh connectivity from the primary node to all secondary nodes.

Principles

The ssh-keygen command is used to generate a private/public key pair. The private key is for the node from where all the remote nodes will subsequently be accessible by an ssh login that requires no password. The public key must be copied to each remote node's <User Home Dir>/.ssh directory.

In essence, the sequence is as follows:

1. The following command initiates the creation of the key pair:

$ ssh-keygen -t rsa

Note: The <Enter> key should be pressed instead of a passphrase being entered.

2. The private key is saved in <User Home Dir>/.ssh/id_rsa.

Tip: As this read-only file is used to decrypt all correspondence encrypted with the public key, its contents must not be shared with anyone.

3. The public key is saved in <User Home Dir>/.ssh/id_rsa.pub.
4. The contents of the public key are then copied to the <User Home Dir>/.ssh /authorized_keys file on the systems you subsequently wish to ssh to without being prompted for a password.

The following example demonstrates the steps:

1.  $ ssh-keygen -t rsa

2.  Generating public/private rsa key pair.

3.  Enter file in which to save the key (/u01/user2/.ssh/id_rsa):<Enter>

4.  Enter passphrase:<Enter>

5.  Enter same passphrase again:<Enter>

6.  Your identification has been saved in /u01/user2/.ssh/id_rsa.

7.  Your public key has been saved in /u01/user2/.ssh/id_rsa.pub.

8.  The key fingerprint is: 16:d0:e2:dd:37:2f:8e:d5:59:3e:12:9d:2f:12:1e:5a

9.  $ scp -pr /u01/user2/.ssh/id_rsa.pub \

10.user2@system1:/u01/user2/.ssh/authorized_keys

11.user2@system1's password:<password>

12. id_rsa.pub 100% 398 0.4KB/s 00:00

13. $ ssh user2@system1

Note: If you receive this message, it can safely be ignored: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.

Once this has been done for the relevant operating system account on all nodes - that is, ssh can log in from the primary node to each secondary node without entering a password - so you are ready to run adop on multiple application tier nodes. It must be run on at least the master (admin) node: from there, it will attempt to contact all the other application tier nodes that are part of the same Oracle E-Business Suite instance, and will run the required steps remotely on those nodes.

Tip: If you change the password for the relevant operating system account on one or more nodes, you must regenerate the ssh credentials either using the $AD_TOP/patch/115/bin/txkRunSSHSetup.pl script, or your own native solution if you prefer.

The txkRunSSHSetup.pl script has a -help option that shows relevant usage options.

For example, a basic command to enable ssh would be:

$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl enablessh -contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3$

To verify ssh operation:

$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl verifyssh -contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3 \

-invalidnodefile=<filename to report ssh verification failures>

To disable ssh:

$ perl $AD_TOP/patch/115/bin/txkRunSSHSetup.pl disablessh \

-contextfile=<CONTEXT_FILE> -hosts=h1,h2,h3 \

Happy Learning!