Help Center/ SAP Cloud/ SAP S/4HANA HA Deployment Guide/ Configuration Before Installation/ Configuring SSH Switching Permissions
Updated on 2022-03-04 GMT+08:00
View PDF
Share

Configuring SSH Switching Permissions

Scenarios

To allow SSH switchovers between SAP S/4HANA ECSs and NAT servers, you must configure the ECSs and servers to be trusty.

Procedure

  1. Upload the key file to the NAT server.

    1. On the local computer, generate the key file for logging in to the NAT server.

      When creating the NAT server, you specify the certificate key file (.pem file) for the NAT server.

      The .pem file generates the .ppk file using PuTTYgen.

    2. On the local computer, install the WinSCP software.
    3. Upload the certificate private key file (.pem file) to the NFS server.

      Use WinSCP to upload the certificate private key file (.pem file) to the /usr directory on the NAT server using an elastic IP address. Ensure that user root and the key file (.ppk file) are used for authentication.

    4. Use PuTTY to log in to the NAT server. Ensure that user root and the key file (.ppk file) are used for authentication.
    5. Copy the certificate private key file (.pem file) to the /root/.ssh directory and rename the file id_rsa.

      For example, if the original file name is private.pem, run the following command to rename it:

      cp /usr/private.pem /root/.ssh/id_rsa

      cd /root/.ssh/

      chmod 600 id_rsa

  2. Use the server/client plane IP address to allocate the locally stored private key file and authorized_keys file to all SAP S/4HANA ECSs.

    The command is in the following format:

    scp /root/.ssh/id_rsa Peer IP address:/root/.ssh/id_rsa

    scp /root/.ssh/authorized_keys Peer IP address:/root/.ssh/

    For example, if the peer IP address is 10.0.3.52, run the following commands:

    scp /root/.ssh/id_rsa 10.0.3.52:/root/.ssh/id_rsa

    scp /root/.ssh/authorized_keys 10.0.3.52:/root/.ssh/

  3. Verify the switching.

    Use SSH to switch from the NAT server to all SAP S/4HANA ECSs for verification.

    The following command is used to switch to the active ASCS node. For example, the IP address of the server/client plane of the active ASCS node is 10.0.3.52.

    ssh 10.0.3.52

    After the switching, you must switch back to the NAT server. Then, verify the switching from the NAT server to other nodes.

    During the first switching, the system displays the fingerprint as well as the message "Are you sure you want to continue connecting (yes/no)?". In such a case, enter yes and continue the switching.