Cisco 881W (Wireless Router) FULL Configurations

By: Boaz Minitzer
Tag: Cisco IOS

This took me several hours of research and trial and error to get working, but in these 2 configurations (one for the main router and one for the intergrated Access Point, AP, you can cut and paste these into your router and they will work just fine.  (save for caveat all the way below)

What these will give you is the following:

• Two SSID's, one guest and one that connects to themain LAN
• A site to site VPN with a Cisco ASA device (5540 if you must know!) which I will publish a configuration for at a later date.
• A configured SSLVPN gateway on the 881W (you get a 90 day trial which will be activated as soon as you enter "webvpn"..... then you have to buy a license)
• static route to a provider, in this case time warner
• A Few sample DHCP Reservations for some nodes

Feel free to ask any questions!

First, let's put in the router configuration:

 the usual, ssh to the box, and get to provilidge mode, enable:

----------------Main 881W Configuration-----------------
!
! Last configuration change at 10:05:24 PDT Thu Nov 3 2011 by boaz
! NVRAM config last updated at 10:05:34 PDT Thu Nov 3 2011 by boaz
!
version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
service sequence-numbers
!
hostname GW01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging buffered 51200
enable password 7 <password-removed>
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login webvpn local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint local
 enrollment selfsigned
 revocation-check crl
 rsakeypair 777network_ssl_key 1024 1024
!
!
crypto pki certificate chain local
 certificate self-signed 0B
  3082022B 30820194 A0030201 0202010B 300D0609 2A864886 F70D0101 04050030
  22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468 6F6D652E
  636F6D30 1E170D31 31313032 35323034 3431345A 170D3230 30313031 30303030
  30305A30 22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468
  6F6D652E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
  02818100 9BF230A3 E931D354 879B6552 12696C4E 403DC9A0 BED040B2 2C6A79C5
  E808542F 7FC25E15 FD634FC6 233858D8 F66EB9A6 9EE3B4EB 988F2005 5E3F7DE9
  185F6630 0D623809 576431EC B33D4DCA 48F68116 22B94299 03E4B2A4 EA7F486A
  DBEB11C5 BD7C0F9F 2D766D8B 86FA392C C2219E95 8B112F9D ADD94410 4F82B990
  EDA963A3 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C
  0603551D 11041530 13821147 5730312E 73706F74 686F6D65 2E636F6D 301F0603
  551D2304 18301680 14B3733F 97620715 E43936B7 2FF8392E F64D78A8 63301D06
  03551D0E 04160414 B3733F97 620715E4 3936B72F F8392EF6 4D78A863 300D0609
  2A864886 F70D0101 04050003 81810084 3730FC57 E22E00F7 C90E591E E2562A1C
  9E079E2B BAFDC51A 43F61F71 56724634 324DE652 2CF09F81 4030DFE0 A43BAABB
  44C389FF DDD6FC1B 437618CE A964AA5A 3F1E8FA5 22CAED0A 0C49366F E2C4B3C9
  C67804C7 CEEAA04C C9DF38A0 740B2893 65A5AAB7 DA17DD7B B4B59808 121FFB69
  589EDA03 D7E77F79 EF0837D4 78578A
      quit
ip source-route
!
!
ip dhcp excluded-address 192.168.230.1 192.168.230.99
ip dhcp excluded-address 192.168.230.201 192.168.230.254
ip dhcp excluded-address 192.168.231.1 192.168.231.50
ip dhcp excluded-address 192.168.231.60 192.168.231.254
!
ip dhcp pool sdm-pool1
   network 192.168.230.0 255.255.255.0
   domain-name domain.com
   option 66 ascii "192.168.230.9"
   option 160 ascii "192.168.230.9"
   default-router 192.168.230.1
   dns-server 192.168.230.20
   lease 0 2
!
ip dhcp pool Domain-Reservation-1-Printer
   host 192.168.230.202 255.255.255.0
   client-identifier 0100.8077.f359.83
   client-name Brother-MFC-9840CDW
   default-router 192.168.230.1
   dns-server 4.2.2.2
   lease 7
!
ip dhcp pool VLAN-GUEST
   network 192.168.231.0 255.255.255.0
   default-router 192.168.231.1
   domain-name domain.com
   dns-server 4.2.2.2 8.8.8.8
   lease 0 12
!
ip dhcp pool Domain-Reservation-2-cube1
   host 192.168.230.65 255.255.255.0
   client-identifier 0100.065b.b4bd.eb
   client-name Telemarkter-PC-cubicle-01
   default-router 192.168.230.1
   dns-server 192.168.250.1
   lease 0 2
!
ip dhcp pool Domain-Reservation-3-cube2
   host 192.168.230.66 255.255.255.0
   client-identifier 0100.0f1f.8c1f.30
   client-name Telemarkter-PC-cubicle-02
   default-router 192.168.230.1
   dns-server 192.168.250.1
   lease 0 2
!
!
ip cef
ip domain name domain.com
ip name-server 192.168.230.20
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX1534811A
!
!
archive
 log config
  logging enable
  hidekeys
object-group network GUEST-WLAN
 description Guest VLAN (ssid SpotGuest)
 192.168.231.0 255.255.255.0
!
object-group network Domain-LAN
 description Local Lan for DomainHome
 192.168.230.0 255.255.255.0
!
username admin privilege 15 password 7 <password-removed>
username boaz privilege 15 password 7 <password-removed>
username jaymie privilege 0 password 7 <password-removed>
username afe privilege 0 password 7 <password-removed>
username david privilege 0 password 7 <password-removed>
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 9
 encr 3des
 authentication pre-share
 group 2
 lifetime 900
crypto isakmp key branch2vpnkey address 64.74.10.10
!
crypto ipsec security-association lifetime seconds 900
!
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
!
crypto map EquinixTunnel 9 ipsec-isakmp
 description Tunnel from Wilshire to Equinix
 set peer 64.74.10.10
 set transform-set SpotEquinixSET
 match address 150
 reverse-route static
!
!
!
!
!
interface Loopback2
 description interface for SSL_VPN
 ip address 192.168.232.1 255.255.255.0
!
interface FastEthernet0
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet4
 ip address 173.196.143.178 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map EquinixTunnel
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 1.1.1.1 255.255.255.252
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description Vlan for the Wireless AP
 ip address 192.168.230.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan20
 description Guest Wireless Network (DomainGuest)
 ip address 192.168.231.1 255.255.255.0
 ip access-group Guest-ACL in
 ip nat inside
 ip virtual-reassembly
!
ip local pool webvpn1 192.168.232.5 192.168.232.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT-RMap interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.196.143.177
!
ip access-list standard LocalRoute-Acl
 permit 192.168.230.0 0.0.0.255
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.230.0 0.0.0.255
 permit ip any any
ip access-list extended Inside-Out-Acl
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit ip host 192.168.230.111 any
 permit ip 192.168.230.64 0.0.0.31 host 173.196.143.180
 permit ip 192.168.230.0 0.0.0.63 any
 permit ip 192.168.230.128 0.0.0.127 any
ip access-list extended TerminalAccess
 permit tcp any any eq 22 log
 permit tcp host 192.168.230.111 any eq telnet log
 deny   tcp any any log
ip access-list extended test
ip access-list extended webvpn-acl
 permit icmp any any
 permit tcp 192.168.232.0 0.0.0.255 any eq 3389 log
 permit tcp 192.168.232.0 0.0.0.255 any eq domain
 permit udp 192.168.232.0 0.0.0.255 any eq domain
 deny   ip any host 192.168.230.9 log
 permit tcp 192.168.232.0 0.0.0.255 any eq www
 deny   ip any any log
!
logging trap debugging
access-list 110 deny   ip 192.168.230.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.230.0 0.0.0.255 any
access-list 110 permit ip 192.168.231.0 0.0.0.255 any
access-list 150 permit ip 192.168.230.0 0.0.0.255 10.0.10.0 0.0.0.255
no cdp run

!
!
!
!
route-map LocalRoute-RMap permit 9
 match ip address LocalRoute-Acl
!
route-map NAT-RMap permit 9
 match ip address 110
!
snmp-server community SNMPRW
snmp-server community SNMPRO
snmp-server location CiscoHouse
snmp-server contact Cisco
!
control-plane
!
privilege exec level 0 ping
banner login C



                                *** WARNING ***



                You have reached an Official Corporate Computer System.

                Unauthorized access is prohibited by Public Law 99-474.

                          The Computer Fraud and Abuse Act of 1986.

              ***********************************************************

                                FOR ACCESS TO THIS SYSTEM

                                        CONTACT

                              THE SYSTEMS INTEGRATION GROUP

              ***********************************************************

                  **** FOR OFFICIAL CORPORATE BUSINESS ONLY ****

                           T H E  G R O U P

               ** Unauthorized use is Prohibited and Punishible by Law **


              ***********************************************************




banner motd C


              ***********************************************************

                                GW01.domain.com

                    contact Boaz at DataStability.com for any Questions

              ***********************************************************


!
line con 0
 privilege level 15
 logging synchronous
 login authentication local_auth
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class TerminalAccess in
 exec-timeout 30 0
 privilege level 0
 logging synchronous
 login authentication local_auth
 transport preferred ssh
 transport input all
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
!
webvpn gateway 777network
 hostname gw01
 ip address 173.196.143.178 port 443 
 http-redirect port 80
 ssl trustpoint local
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
 !
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 2
 !
webvpn install svc flash:/webvpn/anyconnect-linux-2.4.1012-k9.pkg sequence 3
 !
webvpn context 777network
 title "777network Secure Gateway"
 ssl authenticate verify all
 !
 url-list "InternalWebServers"
   heading "Email Servers"
   url-text "Outlook Web Access" url-value "http://exchange.domain.com"
 !
 nbns-list "NBNSServers"
   nbns-server 192.168.230.20
 login-message "Enter your credentials"
 !
 policy group 777networkpolicy
   url-list "InternalWebServers"
   nbns-list "NBNSServers"
   functions file-access
   functions file-browse
   functions file-entry
   functions svc-enabled
   banner "Welcome to 777 Network, Authentication Successful"
   filter tunnel webvpn-acl
   svc address-pool "webvpn1"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc homepage "http://exchange.domain.com"
   svc rekey method new-tunnel
   svc split include 192.168.230.0 255.255.255.0
   svc dns-server primary 192.168.230.20
 default-group-policy 777networkpolicy
 aaa authentication list webvpn
 gateway 777network
 inservice
!
end
----------------end main 881W Configuration-----------------


and now, we need to get to the AP, which you can do either by telnetting to the IP/port (more on that in another post) or by doing:

881W#service-module wlan-ap 0 session
Trying 1.1.1.1, 2002 ... Open
c



now you can put in the configuration below:













----------------AP for 881W Configuration-----------------

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 password1234-removed
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid SpotGuest
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 password1234-removed
!
dot11 ssid 777network
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 0 password1234-removed
!
dot11 network-map
!
!
username admin privilege 15 secret 5 password1234-removed
username boaz privilege 15 password 7 password1234-removed
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 ssid SpotGuest
 !
 ssid 777network
 !
 antenna gain 0
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8. m9. m10. m11. m12. m13. m14. m15.
 channel width 40-above
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 ip address 192.168.230.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.230.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
ip access-list extended Guest-ACL
 permit icmp any any
 deny   ip any 192.168.230.0 0.0.0.255
 permit ip any any
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
 privilege level 15
 login local
 no activation-character
line vty 0 4
 login local
!
cns dhcp
end
----------------End AP for 881W Configuration-----------------


Caveat: Since this article doesnt cover the certificates you need to create for both the SSLVPN and the Site to Site VPN, you will get some errors.  You first need to create these certificates and so on (self signed) or buy them from a CA like verisign etc.

Multipath configuration on Linux Servers (RHEL or CentOS 5.5 or higher)

   Multipath on Linux Servers

In Today's post, we'll go over configuring multipath on Linux Servers.  This is applicable to RedHat 5.5, 5.6 and Oracle Enterprise Linux (OEL) 5.6.  Also, this is in working with QLOGIC HBA's, it will be different with other HBA's!

We will be configuring LUNs presented by a 3PAR or EMC SAN for use on the above Unix servers.

Necessary Information:

The person that provisioned the storage has to provide the worldwide ID (WWID) for each LUN assigned to the Linux server.  This is critical when multiple LUNs are to be assigned at the same time as the WWID is uniquely assigned to each LUN.    

Note that WWIDs should only have lower case characters(!) 

The Linux server should have a copy of the Qlogic LUN scanning software installed at /usr/local/bin/.  Otherwise, a copy should be made of the ql-dynamic-tgt-lun-disc.sh script.

Depending upon the version of Linux you are using, you will need to use a specific version of a generic copy of the multipath.conf file.   These versions do not include support for EMC LUNs at this time.  A copy of this file should be placed in the /etc/ directory on the Linux server being configured.

Configuring multipath:

You have to be root in order to execute the following commands:

1)    Execute the following command to get the SCSI ID of the internal SCSI disk.  This is done in order to blacklist it from being scanned within multipath.conf.

[root@linux01 ~]# scsi_id  -g  -u  -s  /block/sda

2)    Start up the multipathd daemon process.

[root@linux01 ~]# service multipathd start

3)    Enable multipathd to start on subsequent boots.

[root@linux01 ~]# chkconfig --add multipathd
[root@linux01 ~]# chkconfig multipathd on

(chkconfig provides a  simple  command-line  tool  for  maintaining  the 

/etc/rc[0-6].d  directory  hierarchy by relieving system administrators 

of the task of directly manipulating the  numerous  symbolic 

links  in those directories.)

4)    Execute the following commands to scan for LUNs on the Linux machine:

[root@linux01 ~]# ql-dynamic-tgt-lun-disc.sh  -cl
[root@linux01 ~]# ql-dynamic-tgt-lun-disc.sh  -s

5)    Edit the multipath.conf file to include the internal SCSI disk’s unique SCSI ID.

WAS:    wwid        # PERC controller from /block/sda
IS:        wwid <hex string from the scsi_id output> # PERC controller from /block/sda

6)    Execute the following command to verify that the LUNs are visible.  If the LUNs are from a 3PAR, you should see the string “3PARdata” visible for each LUN in the output.
You should see one “mpath?” where ‘?’ is a different letter for every LUN detected.

[root@linux01 ~]# multipath –ll

7)    Edit the multipath.conf file again to insert the WWIDs for each LUN as shown by the previous command and assign alias names to the LUNs.  This requires adding the following to this file:

multipaths {

      multipath {

                  # <some descriptive comment>

                  wwid <WWID of the LUN>

                  alias <some descriptive alias name>

      }

}

The portion above that is italicized should exist for every existing LUN.
Note that the WWID of the LUN should be provided by the person that provisioned the storage but the hex string should be proceeded by the character ‘3’.  This resulting WWID can be compared to the output of the “multipath –ll" command for correctness.
The alias names should be descriptive such as “grid1” for the first Oracle ASM LUN, “data1” for the first Oracle data LUN, or “fra1” for the first Oracle flash recovery area.

8)    Restart multipathd to reread the multipath.conf file.

[root@linux01 ~]# service multipathd restart

9)    Executing the “multipath –ll" command should now display the alias names.
[root@linux01 ~]# multipath –ll

10)    You should also verify that the LUNs now exist in the /dev/mapper/ directory.  You should see each LUN specified by it’s alias name (e.g. grid1).

[root@linux01 ~]# cd /dev/mapper
[root@linux01 ~]# ll

11)    If these LUNs are being created for Oracle, I will publish another article at a later date.

12)    If additional LUNs are added, execute the following:

# ql-dynamic-tgt-lun-disc.sh  -s
# multipath –ll

Edit the multipath.conf file again to insert the WWIDs for each new LUN as reflected by the previous command and assign alias names to the new LUNs.

[root@linux01 ~]# service multipathd restart

13)    If you wish to rename an alias, execute the following:
Edit the multipath.conf file to insert the new alias name(s) assigned to the LUN.

[root@linux01 ~]# service multipathd restart

Verify that the alias(s) have changed by looking at the /dev/mapper directory.

Cleaning up failed/faulty (dead) paths in multipath:
This situation can occur if LUNs are removed or in case of a hardware failure.

1)    Flush the device (e.g. /dev/sdx) from the multipath service:
[root@linux01 ~]# multipath -f sdx

2)    Flush any outstanding I/O to the device:
[root@linux01 ~]# blockdev  --flushbufs  /dev/sdx

3)    Remove the device file from the SCSI subsystem:
[root@linux01 ~]# echo 1>/sys/block/sdx/device/delete

4)    Verify that the device file is gone from multipath:
[root@linux01 ~]# multipath -ll | grep –i sdx

Enabling SSH User Equivalency on Cluster Member Nodes (Oracle RAC)

Creating Identical Users and Groups on Other Cluster Nodes

The Oracle software users and groups must exist and be identical on all cluster nodes. To create these identical users and groups, you must identify the user ID and group IDs assigned to them on the node where you created them, then create the user and groups with the same name and ID on the other cluster nodes. You must create identical users and groups on other cluster nodes only if you are using local users and groups. If you are using users and groups defined in a directory service such as NIS, they are already identical on each cluster node.

Identifying the User and Group IDs

To determine the user ID (UID) and the group IDs (GID) for the groups, follow these steps:

1.     Enter following command:

2.  # id oracle

The output from this command is similar to the following:

uid=440(oracle) gid=200(oinstall) groups=201(dba),202(oper)

3.     From the output, identify the user identity (UID) for the Oracle user and the group identities (GIDs) for the groups to which it belongs.

Creating the User and Groups on the Other Cluster Nodes

To create the user and groups on the other cluster nodes, repeat the following procedure on each node:

1.     Log in to the cluster node in which you want to create the user and groups as root.

2.     Enter commands as per the syntax to create the respective groups. Use the -g option to specify the correct GID for each group:

3.  # /usr/sbin/groupadd -g <group_id> <group_name>

Configuring SSH on all Cluster Nodes

Before you install and use Oracle Real Application Clusters, you must configure secure shell (SSH) for the oracle user on all cluster nodes. Oracle Universal Installer uses the ssh and scp commands during installation to run remote commands on and copy files to the other cluster nodes. You must configure SSH so that these commands do not prompt for a password.

Note:

This section describes how to configure OpenSSH version 3. If SSH is not available, then Oracle Universal Installer attempts to use rsh and rcp instead. However, these services are disabled by default on most Linux systems.

Configuring SSH on Cluster Member Nodes

To configure SSH, complete the following steps on each cluster node:

1.     Log in as the Oracle user.

2.     If necessary, create the .ssh directory in the Oracle user's home directory and set the correct permissions for it:

3.  $ mkdir ~/.ssh

4.  $ chmod 700 ~/.ssh

5.     Enter the following commands to generate an RSA key for version 2 of the SSH protocol:

6.  $ /usr/bin/ssh-keygen -t rsa

At the prompts:

o    Accept the default location for the key file.

o    Enter and confirm a different pass phrase from the Oracle user's password.

This command writes the public key to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file. Never distribute the private key to anyone.

7.     Enter the following command to generate a DSA key for version 2 of the SSH protocol:

8.  $ /usr/bin/ssh-keygen -t dsa

At the prompts:

o    Accept the default location for the key file.

o    Enter and confirm a pass phrase that is different from the Oracle user's password.

This command writes the public key to the ~/.ssh/id_dsa.pub file and the private key to the ~/.ssh/id_dsa file. Never distribute the private key to anyone.

9.     Copy the contents of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files to the ~/.ssh/authorized_keys file on this node and to the same file on all other cluster nodes.

Note:

The ~/.ssh/authorized_keys file on every node must contain the contents from all of the ~/.ssh/id_rsa.pub and ~/.ssh/id_dsa.pub files that you generated on all cluster nodes.

10.  Change the permissions on the ~/.ssh/authorized_keys file on all cluster nodes:

11.$ chmod 600 ~/.ssh/authorized_keys

At this point, if you use ssh to log in to or run a command on another node, you are prompted for the pass phrase that you specified when you created the DSA key.

Enabling SSH User Equivalency on Cluster Member Nodes

To enable Oracle Universal Installer to use the ssh and scp commands without being prompted for a pass phrase, follow these steps:

1.     On the system where you want to run Oracle Universal Installer, log in as the Oracle user.

2.     Enter the following commands:

3.  $ exec /usr/bin/ssh-agent $SHELL

4.  $ /usr/bin/ssh-add

5.     At the prompts, enter the pass phrase for each key that you generated.

If you have configured SSH correctly, then you can use the ssh or scp commands without being prompted for a password or a pass phrase.

6.     To test the SSH configuration, enter the following commands from the same terminal session, testing the configuration of each cluster node:

7.  $ ssh nodename1 date

8.  $ ssh nodename2 date