When a 3rd party tool, such as PPM (Project and Portfolio Management) and Venafi (ssl cert tool), needs to access Oracle EBS server, we usually have to share the applMgr password to other teams. The good and efficient way is to provide them with the private key for them to log onto EBS server without entering the password. Steps to accomplish that on RHEL8 servers:
On Oracle EBS server ebs2d (local server):
1. Generate a pair of key files
$ hostname
ebs2d
$ echo $USER
applmgr
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/u06/app/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /u06/app/.ssh/id_rsa.
Your public key has been saved in /u06/app/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3y1+M95Js+4k383juI/qSsxxxxxxx applmgr@ebs2d.domain.com
The key's randomart image is:
+---[RSA 2048]----+
| . . |
| E +S+ |
| o o =... . |
| + B .o.oo..+ |
| o.=++o. o. .@+ |
| .o+=++ .oooB@*|
+----[SHA256]-----+
$ cd .ssh
$ ls -alZ
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 id_rsa
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 409 Jun 4 20:27 id_rsa.pub
-rw-------. 1 applmgr grp system_u:object_r:unlabeled_t:s0 3563 Jan 16 11:35 known_hosts
2. Make file authorized_keys as a copy of public key file id_rsa.pub (or, add the key to file authorized_keys)
$ cat id_rsa.pub >> authorized_keys
$ chmod 600 authorized_keys # <= right permission is important
3. Change the labels on file authorized_keys (in RHEL8 OS)
$ chcon -u system_u authorized_keys
$ chcon -t user_home_t authorized_keys
$ ls -alZ
-rw-------. 1 applmgr grp system_u:object_r:user_home_t:s0 409 Jun 4 20:27 authorized_keys
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 id_rsa
-rw-------. 1 applmgr grp unconfined_u:object_r:unlabeled_t:s0 409 Jun 4 20:27 id_rsa.pub
-rw-------. 1 applmgr grp system_u:object_r:unlabeled_t:s0 3563 Jan 16 11:35 known_hosts
4. Copy private key id_rsa to remote server ppm1p and name it meaningfully.
Or, send file id_rsa to other trusted teams.
$ scp -p id_rsa usr@ppm1p:/path/to/applmgr_ebs2d_PPM_key
Password:
id_rsa 100% 1843 903.2KB/s 00:00
On remote server ppm1p (host of 3rd party tool):
After received the private key, other team can set up their server to run scripts against Oracle EBS server without intervention.
$ cd /path/to
$ ls -alZ
-rw-------. 1 usr group unconfined_u:object_r:unlabeled_t:s0 1843 Jun 4 20:27 applmgr_ebs2d_PPM_key
Now, connect to EBS server using the private key credential (without entering applmgr's password!):
$ hostname
ppm1p
$ echo $USER
usr
$ ssh -i /path/to/applmgr_ebs1d_PPM_key applmgr@ebs2d
Connected!
$ hostname
ebs2d
$ echo $USER
applmgr
My old post has more details on running ssh, sftp, scp between servers without a pasword.
No comments:
Post a Comment