SSH Key-Based Connectivity¶
Table of Contents
Introduction¶
Depending on environment configuration, password-less SSH access from the Oracle Database server(s) to a node where Sqoop, Spark Submit or HDFS commands can be run may be needed.
With Cloudera Data Hub and Cloudera Data Platform Private Cloud the use of WebHDFS removes the SSH dependency for HDFS commands but SSH connectivity to Hadoop to run Sqoop or Spark Submit jobs is still a potential requirement.
The requirement for SSH access from the Oracle Database server(s) to a destination node can be completely removed by installing Gluent Data Platform on the destination node, in addition to the mandatory installation on the Oracle Database server(s). This allows all commands to be executed on the destination node without any SSH requirement.
Password-less SSH connectivity can be achieved using Kerberos or keys.
In the examples below the Gluent Data Platform software is installed as the oracle user on the Oracle Database server, and gluent is the user on the destination node.
Kerberos¶
To use Kerberos for password-less SSH connectivity between the Oracle Database server(s) and destination node(s) a valid Kerberos ticket must be obtained. This is typically achieved using kinit
(as oracle) with a password:
$ kinit gluent
or keytab:
$ kinit -kt <path to keytab file> gluent
Once a valid ticket has been obtained the user can SSH as the gluent user to any host that is present in the Kerberos Domain Controller once the associated keytab file has been copied to /etc/krb5.keytab
on the destination host.
To forward the ticket to the destination host the following SSH option should be specified for all relevant hosts in the ~/.ssh/config
file for the oracle user on the Oracle Database server:
GSSAPIDelegateCredentials yes
Keys¶
The following covers how to create and distribute an SSH key to allow password-less SSH access.
Create SSH key pair (as oracle)
Note
This step is only required if the SSH key pair does not already exist.
$ ssh-keygen
Copy oracle users key to destination node(s) (repeat for each destination node) (as oracle)
$ ssh-copy-id gluent@<destination-node>
Test key-based authentication (as oracle)
$ ssh gluent@<destination-node> date