Securely deploying and configuring the DB2 pureScale Feature by using db2ssh

View Only

Securely deploying and configuring the DB2 pureScale Feature by using db2ssh

By Indira Kumar posted Tue December 06, 2022 11:41 AM

Like

Executive summary

The main objective of this paper is to highlight the best practices for securely deploying and configuring the DB2 pureScale Feature by using db2ssh. The db2ssh is a wrapper around the Secure Shell (SSH) protocol and Secure Copy Protocol (SCP).

DB2 Version 10.1 Fix Pack 2 introduced db2ssh. You can use db2ssh to run commands as a root user on any host in the General Parallel File System (GPFS) domain. This functionality is achieved by communicating between hosts as a designated non-root ID, thereby removing the requirement of enabling passwordless SSH and remote root login for the root user. As of DB2 Version 10.5, along with GPFS, the installer uses db2ssh to install and configure the DB2 pureScale Feature. Thus, the dependency on passwordless SSH for the root user is removed.

This paper provides the following information:

An introduction to db2ssh and its configuration
Information about various methods for installing and configuring the DB2 pureScale Feature with db2ssh enabled
Troubleshooting tips to resolve problems

Introduction to db2ssh

Before DB2 Version 10.5, to install and configure the DB2 pureScale Feature, you had to enable the remote root login setting and passwordless SSH for the root user. These requirements posed security concerns such as a lack of accountability of who logged in as the root user and allowing root to root SSH without a password or passphrase.

Along with the DB2 installer, the General Parallel File System (GPFS) required the enablement of the remote root login setting and passwordless SSH for the root user for some of the cluster operations. DB2 Version 10.1 Fix Pack 2 introduced db2ssh to eliminate these dependencies for GPFS. However, the DB2 installer continued to have these dependencies until DB2 Version 10.5. In that release the DB2 installer was enhanced to use db2ssh.

The db2ssh is installed in the /var/db2/db2ssh directory. It consists of three executables:

db2locssh, which is invoked on the local host
db2remssh, which the db2locssh program invokes on the remote host
db2scp, which uses both the db2locssh and db2remssh files

The db2ssh is an SSH wrapper. To use db2ssh, you must set up a dedicated non-root user i.e. <db2sshid>, with passwordless SSH on the hosts where GPFS is installed.

You can specify the <db2sshid> user in the /var/db2/db2ssh/db2ssh.cfg file.

Configuring db2ssh includes a set of private and public root keys that are generated in the /var/db2/db2ssh directory. The public keys on each host are exchanged with every other host's public keys. After you configure db2ssh, if you want to run a command on the remote host as the root user, you must invoke db2locssh utility on the local host as the root user.

The db2locssh utility digitally signs the command with the local host's private key and invokes the db2remssh through the SSH protocol as the <db2sshid> user on the remote host. Once on the remote host, db2remssh verifies the digital message signature by using the originating host's public key. At this point, replay attacks are prevented in one of two ways. For DB2 Version 10.5 FP2 or earlier, 20 seconds are allowed to pass from the time that the message originates to the time that it is received. As of DB2 Version 10.5 FP3, you configure the SSH protocol to protect itself from replay attacks. Regardless of the fix pack, the final steps are to run the command and to return the result to the originating host.

Db2