Configuring SSH Switching Permissions
Scenarios
To allow SSH switchovers between SAP NetWeaver ECSs and NAT servers, you must configure the ECSs and servers to be trusty.
Procedure
- Upload the key file to the NAT server.
- On the local computer, generate the key file for logging in to the NAT server.
When creating the NAT server, you specify the certificate key file (.pem file) for the NAT server.
The .pem file generates the .ppk file using PuTTYgen.
- On the local computer, install the WinSCP software.
- Upload the certificate private key file (.pem file) to the NFS server.
Use WinSCP to upload the certificate private key file (.pem file) to the /usr directory on the NAT server using an elastic IP address. Ensure that user root and the key file (.ppk file) are used for authentication.
- Use PuTTY to log in to the NAT server. Ensure that user root and the key file (.ppk file) are used for authentication.
- Copy the certificate private key file (.pem file) to the /root/.ssh directory and rename the file id_rsa.
For example, if the original file name is private.pem, run the following command to rename it:
cp /usr/private.pem /root/.ssh/id_rsa
cd /root/.ssh/
chmod 600 id_rsa
- On the local computer, generate the key file for logging in to the NAT server.
- Use the server/client plane IP address to allocate the locally stored private key file and authorized_keys file to all SAP NetWeaver ECSs.
The command is in the following format:
scp /root/.ssh/id_rsa Peer IP address:/root/.ssh/id_rsa
scp /root/.ssh/authorized_keys Peer IP address:/root/.ssh/
For example, if the peer IP address is 10.0.3.52, run the following commands:
scp /root/.ssh/id_rsa 10.0.3.52:/root/.ssh/id_rsa
scp /root/.ssh/authorized_keys 10.0.3.52:/root/.ssh/
- Verify the switching.
Use SSH to switch from the NAT server to all SAP NetWeaver ECSs for verification.
The following command is used to switch to the active ASCS node. For example, the IP address of the server/client plane of the active ASCS node is 10.0.3.52.
ssh 10.0.3.52
After the switching, you must switch back to the NAT server. Then, verify the switching from the NAT server to other nodes.
During the first switching, the system displays the fingerprint as well as the message "Are you sure you want to continue connecting (yes/no)?". In such a case, enter yes and continue the switching.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot