Db2’s Database Partitioning Feature (DPF) allows a single Db2 instance to span multiple physical servers — allowing a single Db2 database to scale out to sizes well beyond what is possible on a single physical server.
To manage a DPF environment, Db2 needs to be able to execute commands (such as db2start) on all servers participating in the instance. Prior to Db2 9.1 (when the database partitioning feature was part of Db2 Parallel Edition and Enterprise-Extended Edition or EEE), Db2 relied on the remote shell tool rsh to execute commands on remote servers. Unfortunately, rsh is rather insecure; it does not offer any type of host validation or encryption when performing remote commands. Vulnerability scanning tools will detect if the rsh daemon rshd is running on a system and will flag this as a significant security risk.
Fortunately, a secure alternative to rsh has been around for many years — the secure shell (ssh). It eliminates many of the risks that were associated with rsh by using public key-based encryption and host-based authentication. Db2 added support for ssh when Db2 9.1 was released.
Switching to ssh
Fortunately, it’s very simple to switch a partitioned Db2 instance from using rsh to ssh for inter-node communication. The steps below assume that you have a properly configured Db2 DPF instance and that you already have ssh installed and working on your UNIX or Linux boxes (i.e., you can log in to the servers using ssh).
All commands should be executed as the Db2 instance owner.
- Set up the Db2 instance owner to allow for passwordless ssh login and validate that it functions. There are many guides that describe how to do this, but as a brief overview, the following commands should be executed to generate an RSA key pair, authorize the key for passwordless login, and validate that passwordless login is functioning:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/db2inst2/.ssh/id_rsa):
Created directory '/home/db2inst2/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/db2inst2/.ssh/id_rsa.
Your public key has been saved in /home/db2inst2/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XYQhQtwoeyvcMeluSDqmUOSTBZc0D7vEB7jCPR5f36U [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| .o*+oo. .o. |
| .+o*o..... |
|. o.=oo. . |
|.+.B.o=. . . . |
| .*.=+.+S o o |
| . o+.+ . E |
|. o + |
|. + . o |
|.o . . |
+----[SHA256]-----+
$ cp $HOME/.ssh/id_rsa.pub $HOME/.ssh/authorized_keys
$ chmod 600 $HOME/.ssh/authorized_keys
$ ssh localhost date
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:Q9KB4xh+sS3giwjatZFDmvDIXEvU7zWQOV3I8pEgHSI.
ECDSA key fingerprint is MD5:87:9d:40:73:61:a8:ae:ce:34:eb:4b:28:b1:dc:d3:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Fri Feb 19 15:25:11 MST 2021
- Switch Db2 from using RSH to SSH by setting the DB2RSHCMD registry variable:
$ db2set DB2RSHCMD=/usr/bin/ssh |
- Accept host keys for all servers participating in the Db2 instance. You’ll be prompted to accept the host key for each physical machine hosting database partitions:
$ rah date
The authenticity of host 'dpx-rhel7-a.localdomain (172.16.171.75)' can't be established.
ECDSA key fingerprint is SHA256:Q9KB4xh+sS3giwjatZFDmvDIXEvU7zWQOV3I8pEgHSI.
ECDSA key fingerprint is MD5:87:9d:40:73:61:a8:ae:ce:34:eb:4b:28:b1:dc:d3:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dpx-rhel7-a.localdomain,172.16.171.75' (ECDSA) to the list of known hosts.
Fri Feb 19 15:26:46 MST 2021
dpx-rhel7-a.localdomain: date completed ok
The authenticity of host 'dpx-rhel7-b.localdomain (172.16.171.76)' can't be established.
ECDSA key fingerprint is SHA256:5891b5b522d5df086d0ff0b110fbd9d21bb4fc71637.
ECDSA key fingerprint is MD5:b1:94:6a:c9:24:92:d2:34:7c:62:35:b4:d2:61:11:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dpx-rhel7-b.localdomain,172.16.171.76' (ECDSA) to the list of known hosts.
Fri Feb 19 15:26:46 MST 2021
dpx-rhel7-b.localdomain: date completed ok
- Validate that the db2_all command works without prompting for input:
$ db2_all date
Fri Feb 19 15:27:34 MST 2021
dpx-rhel7-a.localdomain: date completed ok
Fri Feb 19 15:27:34 MST 2021
dpx-rhel7-a.localdomain: date completed ok
Fri Feb 19 15:27:35 MST 2021
dpx-rhel7-b.localdomain: date completed ok
Fri Feb 19 15:27:35 MST 2021
dpx-rhel7-b.localdomain: date completed ok
Once these 4 steps are complete, you are finished. You should be able to stop and start the Db2 instance as normal, and use scripts and utilities that leverage the db2_all or rah commands as normal.
Then you can disable the rlogin and rsh services on your UNIX or Linux boxes to eliminate the security risk.