Trusted Contributor.. FIH Trusted Contributor..
Trusted Contributor..
452 views

upgrade DP 10.x client without ssh passwordless access

Jump to solution

Another question: from 10.x on the installation of Linux client software runs now via ssh, i.e. password free connection between installation server and client for root or enter the credentials every time ... 

The Linux department at the customer (we are an external service provider) get crazy, it was not necessary until 10.x (in pre 10.x times they installed a small DP client stub and enabled xinetd via template on a new client, we imported this client into the Cell and upgraded to the actual version of the software).

We as a backup operator do not have root access to the systems to be backed up, but to the installation server. This would give us root access to all the linux clients immediately -> NO WAY.

And we operate a really large environment (> 70 CellServer woth a LOT of clients), so we can not enable / disable this access just for every upgrade for every client.

I seem to remember that there is a way I can change it over to the old procedure, but I don't find it right now ... do someone have an idea?

Best regards

Frank

0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: upgrade DP 10.x client without ssh passwordless access

Jump to solution

Hi @FIH,

As discussed the omnirc option OB2UPGRADEOVERINET=1 seems to be new in A.10.20. But the description on the docs portal seems to be wrong OR the implementation is incomplete.

Client upgrade
https://docs.microfocus.com/itom/Data_Protector:2018.11/Upgrade/c07-s02upgrading_to_10.00#Client_upgrade

After performing some tests it seems that even 10.x clients allow upgrades or installation or components via INET only in case the omnirc option is defined on Installation Server. I asked PM for clarification. In any case thanks for bringing this up as this seems to cure various installation related issues.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: upgrade DP 10.x client without ssh passwordless access

Jump to solution

Hello @FIH

There is a way to enable the SSH to not request the password. Try this: 

A) In the Installation Server check if there exists the file /opt/omni/.omnirc, if not, please create it

 

B) Add or be sure the /opt/omni/.omnirc file contains the parameter:

OB2_SSH_ENABLED=1

 

Now you can work in the process to enable ssh, the first step is just in case that the file /root/.ssh/id_dsa.pub doesn't exists, if it exists, go to step 2.

 

1-Creating the public and private key, in the Installation Server, please run:

 

[root@IS]#  ssh-keygen -t dsa

And only hit the enter key when is requested, don´t add any value.

 

For example:

 

[root@IS]#   ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/root/.ssh/id_dsa):      (hit Enter key)

Enter passphrase (empty for no passphrase):      (hit Enter key)

Enter same passphrase again:       (hit Enter key)

Your identification has been saved in /root/.ssh/id_dsa.

Your public key has been saved in /root/.ssh/id_dsa.pub.

The key fingerprint is:

bf:18:99:8e:2d:cb:6c:ce:ca:13:5e:d1:c7:db:13:60 root@IS

 

2-Copying the public key from Installation server to newclient

From the Installation Server please run the following command:

 

[root@IS]#  scp /root/.ssh/id_dsa.pub root@client:id_dsa.pub

 

Where root@client is the server you are trying to add, as root.

 

Once that you hit the enter key, the command will request the root password for the client.

 

For example:

 

[root@IS]#  scp /root/.ssh/id_dsa.pub root@client:id_dsa.pub

 

root@client’s password:      (enter the client password for root)

 

The authenticity of host 'IS (16.90.0.6)' can't be established.

RSA key fingerprint is 59:10:8d:76:1d:70:55:2e:56:91:71:3f:4c:aa:8f:05.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'IS,16.90.0.6' (RSA) to the list of known hosts.

Password:

id_dsa.pub    100%  621     0.6KB/s   00:00

 

 

3- Go to the client and check if the file exist. For example:

 

root@client~ #    cd /root

root@client~ #  ls id_*

id_dsa.pub

 

4- Attach the content of the file “id_dsa.pub” into the “autorized_keys2”, for example:

 

root@client~ # cat id_dsa.pub >> /root/.ssh/authorized_keys2

root@client~ # ls  /root/.ssh/authorized_keys2

authorized_keys2

 

5-Now execute SSH from the Installation server to the new client:

 

[root@IS]# ssh client uname –a

 

Do the same test with the FQDN, shortname and IP Address of the client.

 

For example:

 

[root@IS]# ssh client uname –a

Linux client 3.5.0-23-generic #35~precise1-client SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

 

6- Open the Data Protector GUI and install the Data Protector components that you need.

 

Regards, 

Andres Fallas Salazar
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a LIKE by clicking on the bottom at the left of the post and show your appreciation.
0 Likes
Trusted Contributor.. FIH Trusted Contributor..
Trusted Contributor..

Re: upgrade DP 10.x client without ssh passwordless access

Jump to solution

Hi @Victor_F_DP 

sorry, but you don't understand my problem ...

1.) I already know how to set up password-free access via ssh key exchange i have been doing this regularly for some years now ... this is NOT my problem

2.) 

My problem: We have a big customer from the automotive sector ( > 70 cells, > 2500 clients, about 50 % linux). We operate the backup environment / processes for this customer. We only have direct access to CellServers (Windows) and Windows/Linux Installation Servers. We have NO root access to the clients (and won't get any) as this is a BIG security hole and will let the customer fail any security audit.
Until now, it was sufficient for the operating team to perform a basic installation of DP (Core and DA only) when setting up a new Linux server (clients). This did not have to be a current DP version. Afterwards we could import the client and from then on update the software / install further components WITHOUT root access, as this was done via the DP processes.
This is no longer possible with the new method 😞
We also can't distribute software after every DP upgrade via other methods because we are not allowed to do so and this would mean extreme effort for the customer.
Note: other Enterprise! Backup products (for example CommVault) can still do this or it is at least selectable.

And even giving the control (root access) back to the customer doesn't help either, since there may be several departments per site that are not allowed to have such a passwordless root bridge. And to install / maintain a separate installation server for each department is beyond any effort.

Sorry, but do the developers even care if old basic functions which are there for a long time are simply cut off what effects this has in large grown and/or distributed customer environments? It should at least be configurable / selectable! Or are such enterprise customers no longer a target?

Best regards

Frank

 

0 Likes
Trusted Contributor.. FIH Trusted Contributor..
Trusted Contributor..

Re: upgrade DP 10.x client without ssh passwordless access

Jump to solution

ok, there is a simply solution (got it from the Support Team):

OB2UPGRADEOVERINET=1 in .omnirc file on IS.

After that, I could upgrade my pre 10.x clients to the actual software version.

It's a pity that this parameter is not described in omnirc...

I knew I'd read it somewhere.

But why can the installation server not recognize from client feedback that it is a 9.x client and automatically choose the old procedure???

Highlighted
Knowledge Partner
Knowledge Partner

Re: upgrade DP 10.x client without ssh passwordless access

Jump to solution

Hi @FIH,

As discussed the omnirc option OB2UPGRADEOVERINET=1 seems to be new in A.10.20. But the description on the docs portal seems to be wrong OR the implementation is incomplete.

Client upgrade
https://docs.microfocus.com/itom/Data_Protector:2018.11/Upgrade/c07-s02upgrading_to_10.00#Client_upgrade

After performing some tests it seems that even 10.x clients allow upgrades or installation or components via INET only in case the omnirc option is defined on Installation Server. I asked PM for clarification. In any case thanks for bringing this up as this seems to cure various installation related issues.

Regards,
Sebastian Koehler

---
Please use the Like button below, if you find this post useful.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.