How to Configure Passwordless SSH Authentication Between Oracle RAC Nodes

How to Configure Passwordless SSH Authentication Between Oracle RAC Nodes

During Oracle RAC installation (especially Grid Infrastructure), the installer and tools need to execute commands across all RAC nodes automatically, without human intervention.

Password less SSH is needed because:

During Installation Step	Why Passwordless SSH is Needed
Grid Infrastructure (GI) Installation	The Oracle Universal Installer (runInstaller) copies files, runs scripts, sets up ASM, Clusterware, CRS services across all nodes.
Cluster Verification (cluvfy)	Verifies shared storage, network config, user equivalence by connecting across nodes.
Running root.sh automatically	Installer needs to trigger root scripts remotely on all nodes.
Configuration of SCAN, VIPs	RAC configures network resources which requires access to all nodes without asking password each time.
opatchauto (patching GI or RAC)	OPatchAuto automatically connects to all nodes, stops CRS, applies patches, restarts — needs SSH access.
Database installation	Same for database binaries if installing with RAC options.

📋 As per Oracle Official Documentation :

"You must configure secure shell (SSH) for both the Oracle Grid Infrastructure software owner (grid) and the Oracle Database software owner (oracle) to enable passwordless SSH user equivalence across all cluster nodes. This is required for Oracle Universal Installer to copy and run scripts on all cluster nodes during installation."

Assumptions

Your RAC nodes: Atleast 2 node rac
You are configuring passwordless SSH for the following users:

grid user (for Grid Infrastructure)
oracle user (for RDBMS software)

(If you use only one user for both, steps are same.)

On node1(Hostname :testrac1) (as grid user):

[grid@testrac1 ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/grid/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/grid/.ssh/id_rsa.

Your public key has been saved in /home/grid/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:bLXitTwHBHpFSE88BWI8pA0Bwq3Z0ifj4hb+tGvXrV4 grid@testrac1

The key's randomart image is:

+---[RSA 3072]----+

| .....o=*+=o. |

| ... *+*o |

| = o o.+. |

| + = .o o . |

| o + S + |

| o . o + o |

| o o. ...E . |

| +.... ...o |

| . o+o .o. |

+----[SHA256]-----+

[grid@testrac1 ~]$ cd ~/.ssh

[grid@testrac1 .ssh]$ cat id_rsa.pub >> authorized_keys

On node2(Hostname : testrac2) (as grid user):

grid@testrac2 ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/grid/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/grid/.ssh/id_rsa.

Your public key has been saved in /home/grid/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:BBrZIK8m2dhCjaH4jkPNwl9itHsx4QKVBM5PN754Hf8 grid@testrac2

The key's randomart image is:

+---[RSA 3072]----+

| o+o++. |

|= =+.o.. |

|o* +o+ . |

|o*B.= o. |

|=+*O * .S |

|.*+ * = o |

|o .+ + . . |

| . o . |

| E |

+----[SHA256]-----+

[grid@testrac2 ~]$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys

Exchange Public Keys

From testrac1:

[grid@testrac1 .ssh]$ scp ~/.ssh/id_rsa.pub testrac2:/tmp/testrac1_id_rsa.pub

From testrac2:

[grid@testrac2 .ssh]$ scp ~/.ssh/id_rsa.pub testrac1:/tmp/testrac2_id_rsa.pub

Merge the keys into authorized_keys on both nodes

On testrac1:-

[grid@testrac1 .ssh]$ cat /tmp/testrac2_id_rsa.pub >> ~/.ssh/authorized_keys

On testrac2:-

[grid@testrac2 .ssh]$ cat /tmp/testrac1_id_rsa.pub >> ~/.ssh/authorized_keys

Perform same steps as above for oracle user if you are using oracle as RDBMS user

Test Password less authentication From Both server:-

From testrac1

[grid@testrac2 ~]$ ssh testrac1 date

Mon Apr 28 20:07:19 IST 2025

[grid@testrac2 ~]$ ssh testrac2 date

Mon Apr 28 20:07:24 IST 2025

From testrac2

[grid@testrac1 ~]$ ssh testrac1 date

Mon Apr 28 20:08:19 IST 2025

[grid@testrac1~]$ ssh testrac2 date

Mon Apr 28 20:08:29 IST 2025

This concludes the passwordless authentication between Oracle rac nodes

How to Configure SCAN and VIPs in Oracle RAC 19c

How to Configure SCAN and VIPs in Oracle RAC 19c

1. What is SCAN and VIP in RAC? (Quick intro)

SCAN (Single Client Access Name):

A single name that clients use to connect to the database.
Behind the scenes, SCAN resolves to three IP addresses (round-robin via DNS or GNS).
Advantage: No need to change client connection strings if nodes are added/removed.

VIP (Virtual IP):

Each RAC node gets a VIP in addition to its public IP.
If a node fails, its VIP can quickly failover to another node.
Helps in fast TCP/IP failover without long TCP timeout delays.

2. Network Requirements

You'll need three networks:

Public Network (for client/database communication)
Private Network (for cluster interconnect/heartbeat)
Optional: Backup Network (for redundancy)

Important IP planning:

IP Type	Needed
Public IPs	1 per node
VIPs	1 per node
Private IPs	1 per node
SCAN IPs	3 total (shared across the cluster)

3. DNS Setup (for SCAN and VIPs)

Before RAC installation, ensure:

SCAN Name points to three IP addresses in DNS.
VIP Names are mapped separately in DNS (or /etc/hosts for non-production setups).

Example DNS Entries:

# SCAN entries (round-robin DNS)

testrac-scan.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.98

testrac-scan.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.177

testrac-scan.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.112

# Public IPs

testrac1.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.127

testrac2.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.158

# VIPs

testrac1-vip.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.36

testrac2-vip.subnet09212030.vcn09212030.oraclevcn.com IN A 10.0.0.178

Note:

SCAN should not resolve to a single IP — must have three IPs.
VIPs should be in the same subnet as the public IPs.

4. /etc/hosts Example (if not using DNS)

# Public IPs

10.0.0.127 testrac1.subnet09212030.vcn09212030.oraclevcn.com testrac1

10.0.0.158 testrac2.subnet09212030.vcn09212030.oraclevcn.com testrac2

# VIPs

10.0.0.36 testrac1-vip.subnet09212030.vcn09212030.oraclevcn.com testrac1-vip

10.0.0.178 testrac2-vip.subnet09212030.vcn09212030.oraclevcn.com testrac2-vip

# Private Interconnect

192.168.16.18 testrac1-priv.subnet09212030.vcn09212030.oraclevcn.com testrac1-priv

192.168.16.19 testrac2-priv.subnet09212030.vcn09212030.oraclevcn.com testrac2-priv

#Scan IPs

10.0.0.98 testrac-scan.subnet09212030.vcn09212030.oraclevcn.com

10.0.0.177 testrac-scan.subnet09212030.vcn09212030.oraclevcn.com

10.0.0.112 testrac-scan.subnet09212030.vcn09212030.oraclevcn.com

5. During Grid Infrastructure Installation

When you install Grid Infrastructure:

Installer will prompt for SCAN name.
Installer will auto-detect SCAN IPs based on DNS.
It will also ask for:

Public Interface
Private Interface
VIP names for each node.

✅ Oracle Clusterware will configure and manage SCAN listeners and VIP listeners automatically after installation.

6. Post-Installation Checks

After installation:

Check SCAN listeners:

$srvctl config scan

[oracle@testrac1 ~]$ srvctl config scan

SCAN name: testrac-scan.subnet09212030.vcn09212030.oraclevcn.com, Network: 1

Subnet IPv4: 10.0.0.0/255.255.255.0/enp0s5, static

Subnet IPv6:

SCAN 1 IPv4 VIP: 10.0.0.112

SCAN VIP is enabled.

SCAN 2 IPv4 VIP: 10.0.0.177

SCAN VIP is enabled.

SCAN 3 IPv4 VIP: 10.0.0.98

SCAN VIP is enabled.

$srvctl config scan_listener

[oracle@testrac1 ~]$ srvctl config scan_listener

SCAN Listeners for network 1:

Registration invited nodes:

Registration invited subnets:

Endpoints: TCP:1521

SCAN Listener LISTENER_SCAN1 exists

SCAN Listener is enabled.

SCAN Listener LISTENER_SCAN2 exists

SCAN Listener is enabled.

SCAN Listener LISTENER_SCAN3 exists

SCAN Listener is enabled.

Check VIPs:

[oracle@testrac1 ~]$ srvctl config nodeapps

Network 1 exists

Subnet IPv4: 10.0.0.0/255.255.255.0/enp0s5, static

Subnet IPv6:

Ping Targets:

Network is enabled

Network is individually enabled on nodes:

Network is individually disabled on nodes:

VIP exists: network number 1, hosting node testrac1

VIP Name: testrac1-vip.subnet09212030.vcn09212030.oraclevcn.com

VIP IPv4 Address: 10.0.0.36

VIP IPv6 Address:

VIP is enabled.

VIP is individually enabled on nodes:

VIP is individually disabled on nodes:

VIP exists: network number 1, hosting node testrac2

VIP Name: testrac2-vip.subnet09212030.vcn09212030.oraclevcn.com

VIP IPv4 Address: 10.0.0.178

VIP IPv6 Address:

VIP is enabled.

VIP is individually enabled on nodes:

VIP is individually disabled on nodes:

ONS exists: Local port 6100, remote port 6200, EM port 2016, Uses SSL true

ONS is enabled

ONS is individually enabled on nodes:

ONS is individually disabled on nodes:

You should see VIPs and SCAN listeners running fine.

7. Troubleshooting Tips

If SCAN listeners aren’t working, check:

DNS settings (or /etc/hosts)
Firewall rules blocking SCAN IPs
Network interface binding issues

If VIP fails to start:

Ensure the VIP is in the correct subnet.
Check the public network card configuration.

ocrcheck commands in Oracle RAC 19c

ocrcheck commands in Oracle RAC 19c

In Oracle RAC (Real Application Clusters), ocrcheck is a command-line utility used to check the status of Oracle Cluster Registry (OCR) in a cluster environment. The OCR stores important configuration data for Oracle Clusterware, such as cluster node information, voting disk locations, and other configuration details.

Check OCR Status: To check the status of the OCR and verify its integrity, use the following command:

[root@testrac1 ~]# cd /u01/app/19.0.0.0/grid/bin/

[root@testrac1 bin]# ./ocrcheck

Status of Oracle Cluster Registry is as follows :

Version : 4

Total space (kbytes) : 901284

Used space (kbytes) : 84572

Available space (kbytes) : 816712

ID : 2059301600

Device/File Name : +DATA

Device/File integrity check succeeded

Device/File not configured

Cluster registry integrity check succeeded

Logical corruption check succeeded

To check the local OCR copy on the node where you run the command.

[root@testrac1 bin]# ./ocrcheck -local

Status of Oracle Local Registry is as follows :

Version : 4

Total space (kbytes) : 491684

Used space (kbytes) : 83324

Available space (kbytes) : 408360

ID : 1502315622

Device/File Name : /u01/app/grid/crsdata/testrac1/olr/testrac1_19.olr

Device/File integrity check succeeded

Local registry integrity check succeeded

Logical corruption check succeeded

Check OCR Configuration: If you need more detailed information about the OCR configuration, including its location, you can use:

[root@testrac1 bin]# ./ocrcheck -config

Oracle Cluster Registry configuration is :

Device/File Name : +DATA

Check OCR local location

[root@testrac1 bin]# ./ocrcheck -local -config

Oracle Local Registry configuration is :

Device/File Name : /u01/app/grid/crsdata/testrac1/olr/testrac1_19.olr

Installing Oracle 23ai on Linux 9

Installing Oracle 23ai on Linux 9: A Step-by-Step Guide for Modern DBAs

Pre-requisites

- 20+ GB free disk space

- At least 8 GB RAM

- x86_64 architecture

- Oracle Linux 9 (preferred with UEK)

OS Requirements:

Before diving in, let’s get our system ready.

Step 1: Install Required Packages

Oracle provides a handy pre-install RPM that handles dependencies and kernel tuning.

Command:

[root@rd opc]# dnf install -y oracle-database-preinstall-23ai

This will:

- Set kernel parameters

- Create required groups and users (if not done)

- Install packages like `binutils`, `glibc`, `ksh`, etc.

Step 2: Download and Install Oracle 23ai RPM

Download the Oracle 23ai Free RPM package from Oracle’s official site.

Official link for download:- https://www.oracle.com/database/free/get-started/

Using wget utility directly download the rpm into the server

[root@rd u01]# wget https://download.oracle.com/otn-pub/otn_software/db-free/oracle-database-free-23ai-1.0-1.el9.x86_64.rpm

Install using:

[root@rd u01]# sudo dnf install -y oracle-database-free-23ai-1.0-1.el9.x86_64.rpm

This installs Oracle binaries in `/opt/oracle/product/23ai/dbhomeFree`.

Step 3: Configure the Database

Create and configure your Oracle 23ai database with:

[root@rd dbhomeFree]# sudo /etc/init.d/oracle-free-23ai configure

Specify a password to be used for database accounts. Oracle recommends that the password entered should be at least 8 characters in length, contain at least 1 uppercase character, 1 lower case character and 1 digit [0-9]. Note that the same password will be used for SYS, SYSTEM and PDBADMIN accounts:

Confirm the password:

Configuring Oracle Listener.

Listener configuration succeeded.

Configuring Oracle Database FREE.

Enter SYS user password: ************

Enter SYSTEM user password:

*************

Enter PDBADMIN User Password:

*************

Prepare for db operation

7% complete

Copying database files

29% complete

Creating and starting Oracle instance

30% complete

33% complete

36% complete

39% complete

43% complete

Completing Database Creation

47% complete

49% complete

50% complete

Creating Pluggable Databases

54% complete

71% complete

Executing Post Configuration Actions

93% complete

Running Custom Scripts

100% complete

Database creation complete. For details check the logfiles at:

/opt/oracle/cfgtoollogs/dbca/FREE.

Database Information:

Global Database Name:FREE

System Identifier(SID):FREE

Look at the log file "/opt/oracle/cfgtoollogs/dbca/FREE/FREE.log" for further details.

Connect to Oracle Database using one of the connect strings:

Pluggable database: rd/FREEPDB1

The script will:

- Set up the Oracle listener

- Initialize the database

- Start the database service

Step 4: Test the Installation

Switch to the `oracle` user and test the environment:

sudo su – oracle

Environment Variables

To make life easier, set the following in `.bash_profile` for the `oracle` user:

export ORACLE_HOME=/opt/oracle/product/23ai/dbhomeFree

export ORACLE_SID=FREE

export PATH=$ORACLE_HOME/bin:$PATH

Apply the changes:

source ~/.bash_profile

To connect root container:-

[oracle@rd ~]$ sqlplus sys@//localhost:1521/free as sysdba

Enter password:

SQL*Plus: Release 23.0.0.0.0 - Production on Thu Apr 24 04:24:50 2025

Version 23.7.0.25.01

Enter password:

Connected to:

Oracle Database 23ai Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free

Version 23.7.0.25.01

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

3 FREEPDB1 READ WRITE NO

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL>

To connect Pluggabe database

[oracle@rd ~]$ sqlplus sys@//localhost:1521/freepdb1 as sysdba

Enter password:

SQL*Plus: Release 23.0.0.0.0 - Production on Thu Apr 24 04:26:47 2025

Version 23.7.0.25.01

Enter password:

Connected to:

Oracle Database 23ai Free Release 23.0.0.0.0 - Develop, Learn, and Run for Free

Version 23.7.0.25.01

SQL> show con_name

CON_NAME

------------------------------

FREEPDB1

Optional: Enable Auto-Start on Boot

To enable Oracle to start automatically after reboot:

[root@rd u01]# sudo systemctl enable oracle-free-23ai

oracle-free-23ai.service is not a native service, redirecting to systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable oracle-free-23ai

Database service can be stopped and started using following command from root user

[root@rd opc]# /etc/init.d/oracle-free-23ai stop

[root@rd opc]# /etc/init.d/oracle-free-23ai start

Final Thoughts

"23ai" = Oracle 23c: Oracle renamed the release from 23c to 23ai to reflect its built-in artificial intelligence and machine learning capabilities.

Free Edition: It's the lightweight version of the full Oracle Database, similar to what Oracle 21c XE was, but even easier to install and use (especially with the RPM installer).

How to Patch Oracle 19c to Release 19.27 – A Complete Step-by-Step Blog

How to Patch Oracle 19c to Release 19.27 – A Complete Step-by-Step Blog

🚀 Introduction

Keeping your Oracle environment up to date is essential — not just for performance, but also for security and stability. Oracle regularly releases patches, and today, I’ll walk you through the exact steps I followed to patch my Oracle 19c database from version 19.26.0.0.0 to 19.27.0.0.0.

This isn’t just a technical dump. It’s a real-life, step-by-step guide that includes everything you’ll need: downloads, checks, patching, verification, and a few gotchas to watch out for.

⚠️ Note: Please don’t blindly follow this on production systems. Always test first!

🔍 Why is Oracle Patching Important?

🔐 Security – Patches protect your system from known vulnerabilities.
🐛 Bug Fixes – They fix software issues that might crash your app or corrupt data.
⚙️ Performance – Some patches improve performance and stability.
✅ Compliance – Often required by industry standards and audits.
🆕 New Features – Occasionally, you’ll get useful improvements.

🧩 Types of Oracle Patches

Oracle releases a variety of patches:

Critical Patch Updates (CPUs) – Quarterly security-focused releases.
Security Alerts – Out-of-cycle security fixes.
Patch Set Updates (PSUs) – Bundles of fixes + past CPU patches.
Interim Patches – One-off patches for urgent issues.
Bundle Patches – Component-specific patch sets.
Release Updates (RUs) – Major rolling updates in 19c+ that include all of the above.

📅 Next CPU release is scheduled for July 15, 2025.

🧰 How to Apply Oracle 19.27 Patch – Full Walkthrough

Let’s dive into the actual process.

1. Download the Patch and OPatch Utility

Log in to Oracle Support using your org credentials.
Go to Patches & Updates, search with document ID 2118136.2.
Select your platform: Oracle 19c → Non-RAC or RAC → April 2025 Patch.
Choose OS: e.g. Red Hat Linux x86_64.
Download the README file – this is your best friend.
Download:

Patch file: p37642901_190000_Linux-x86-64.zip
OPatch utility: p6880880_190000_Linux-x86-64.zip

2. Check and Update OPatch

In the server:

[oracle@ocisoumya ~]$cd $ORACLE_HOME/OPatch

[oracle@ocisoumya ~]$./opatch version

✅ You need version 12.2.0.1.46 or higher.

If not:

[oracle@ocisoumya ~]$mv OPatch OPatch_backup1

[oracle@ocisoumya ~]$cp p6880880_190000_Linux-x86-64.zip $ORACLE_HOME

[oracle@ocisoumya ~]$cd $ORACLE_HOME

[oracle@ocisoumya ~]$ unzip p6880880_190000_Linux-x86-64.zip

🔧 Optional: Update your .bash_profile to run opatch globally:

[oracle@ocisoumya ~]vi /home/oracle/.bash_profile

PATH=$ORACLE_HOME/OPatch:$PATH

. ~/.bash_profile

:wq

3. Prepare the Patch Directory

[oracle@ocisoumya ~]mkdir /home/oracle/patch

[oracle@ocisoumya ~] chmod -R 777 /home/oracle/patch

Transfer both ZIP files (Patch + OPatch) to this directory using WinSCP or similar.

4. Unzip the Patch

[oracle@ocisoumya ~]cd /home/oracle/patch

[oracle@ocisoumya ~]unzip p37642901_190000_Linux-x86-64.zip

[oracle@ocisoumya ~]cd 37642901

5. Run Pre-checks

Before applying the patch, check for conflicts:

[oracle@ocisoumya ~] ./opatch prereq CheckConflictAgainstOHWithDetail -ph ./

✅ If you see “Success”, you’re good to go.

6. Stop Database and Listener

[oracle@ocisoumya ~]sqlplus / as sysdba

SQL> shutdown immediate

SQL> exit

[oracle@ocisoumya ~] lsnrctl stop

Verify that all services are down.

7. Clean Up Inactive Patches (Optional but Recommended)

[oracle@ocisoumya ~]cd $ORACLE_HOME/OPatch

[oracle@ocisoumya ~]./opatch util listOrderedInactivePatches

[oracle@ocisoumya ~]./opatch util deleteInactivePatches

8. Make Sure You Have Enough Space

You’ll need at least 12 GB free in /home.

[oracle@ocisoumya ~] df -h

9. Apply the Patch

[oracle@ocisoumya ~]cd /home/oracle/patch/37642901

[oracle@ocisoumya ~] ./opatch apply

Watch for success messages during the patch process.

10. Run DataPatch

This registers the patch inside the database:

[oracle@ocisoumya ~]cd $ORACLE_HOME/OPatch

[oracle@ocisoumya ~] ./datapatch -verbose

11. Start Database and Verify Patch

[oracle@ocisoumya ~]sqlplus / as sysdba

SQL>startup

SQL> select * from v$version;

✅ You should see 19.27.0.0.0 listed in the output!

📌 Final Tips

🗂️ Always patch standby first in Data Guard setups.
💡 Never patch production first — test on a non-prod clone.
📝 Always read the README.
💬 Share this guide if it helped!