How to setup RSA SSH equivalence on Oracle Exadata nodes (Doc ID 2923095.1)

Last updated on SEPTEMBER 05, 2023

Applies to:

Oracle Exadata Storage Server Software - Version 19.1.0.0.0 and later
Linux x86-64

Purpose

As newer and more secure encryption standards are introduced, older protocols are considered obsolete and production systems should not make use of them. Beginning with Oracle Linux 8, by default, all network connections authenticating with DSA will be blocked at the operating system level. The purpose of this note is to provide the proper steps to setup RSA SSH equivalence between Exadata components, getting customers ready for future migrations.

Prior to updating any Exadata component to an image version based on Oracle Linux 8, customers are strongly recommended to replace all DSA authentication keys with RSA authentication keys, in order to prevent password-less connectivity issues and automation failures, as well as provide more secure network connections.

Scope

All the content in this note is intended to system administrators, allowed to configure and/or modify SSH equivalence preferences on Exadata components. For this configuration to be successful, the following technical requirements must be met:

The Exadata components involved in any key-transfer process must be reachable on the network. Therefore, proper DNS and routing configurations must be made.
For every key-transfer process mentioned in this note, the system administrator must know the remote user's password. At the same time, proper file permissions must be set and firewall configurations must be made for the transferring process to complete.

NOTE: Since RSA is a modern and resource demanding encryption protocol, the hardware involved in these operations must support RSA at a low-level implementation. The Sun Rack II Enhanced PDU within the Exadata rack does not support RSA encryption. Instead, this Exadata component is shipped with a 1024-bit DSA encryption key, which cannot be regenerated.