Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1011148.1
Update Date:2010-05-28
Keywords:

Solution Type  Technical Instruction Sure

Solution  1011148.1 :   Sun Fire[TM] 3800/48x0/E4900/6800/E6900: Unscheduled System Controller (SC) Failover upon generation of SSH DSA hostkey  


Related Items
  • Sun Fire E6900 Server
  •  
  • Sun Fire 3800 Server
  •  
  • Sun Fire 6800 Server
  •  
  • Sun Fire E4900 Server
  •  
  • Sun Fire 4800 Server
  •  
  • Sun Fire 4810 Server
  •  
Related Categories
  • GCS>Sun Microsystems>Servers>Midrange Servers
  •  

PreviouslyPublishedAs
215331


Applies to:

Sun Fire 3800 Server
Sun Fire 4800 Server
Sun Fire 4810 Server
Sun Fire 6800 Server
Sun Fire E4900 Server
All Platforms

Goal

The ScApp CLI "ssh-keygen" facilitates the generation or display of Secure
Shell (SSH) hostkey fingerprint within the ScApp environment. This document
discusses an anomaly observed in the course of using the "ssh-keygen" CLI to
generate a DSA hostkey.

Solution


Steps to Follow
The ScApp CLI "ssh-keygen" facilitates the generation or display of Secure
Shell (SSH) hostkey fingerprint within the ScApp environment. The SSH-2 procotol
uses Digital Signature Algorithm (DSA) based authentication & ScApp's "ssh-
keygen" provides both RSA and DSA hostkey support. The Digital Signature
Algorithm (DSA), was originally developed by the US National Security Agency
(NSA) and is part of the Digital Siganture Standard (DSS).

This document discusses an anomaly observed in the course of using the "ssh-
keygen" CLI to generate a DSA hostkey : i.e.,

The following ScApp platform logs were captured on the main / spare SCs :

original main SC ( sc1 ) :

v4u-4800c-sc1:SC> ssh-keygen -t dsa
Creating DSA host key may take several minutes.
DSA host key generated.
Use 'restartssh' to restart the SSH server with the new host key.
A restart of the SSH server on the spare SC is also required.
Sep 06 11:12:17 v4u-4800c-sc1 Platform.SC: Stopping all services on this SC
Sep 06 11:12:17 v4u-4800c-sc1 Platform.SC: All services on this SC have been
stopped.

original spare SC ( sc0 ) :

Sep 05 20:11:39 v4u-4800c-sc0 Platform.SC: SC Failover: no health status
received from the other SC for 3 minutes
Sep 05 20:12:09 v4u-4800c-sc0 Platform.SC: SC Failover: becoming main SC ...
Sep 05 20:12:20 v4u-4800c-sc0 Platform.SC: SC Failover: disabled
Sep 05 20:12:27 v4u-4800c-sc0 Platform.SC: Chassis is in single partition mode.
Sep 05 20:12:37 v4u-4800c-sc0 Platform.SC: Main System Controller
Sep 05 20:12:57 v4u-4800c-sc0 Platform.SC: Clock failover enabled.
Sep 05 20:13:56 v4u-4800c-sc0 Platform.SC: Frame Manager connected. ID: 080020:
ffa74a


Although, the DSA hostkey actually got generated & reported on the new main SC
:

v4u-4800c-sc0:SC> ssh-keygen -l -t dsa
97:ea:bf:b8:6c:69:ac:11:14:30:45:37:5d:44:26:70 (DSA host key)

the DSA host key generation operation did trigger an unscheduled SC Failover
event.

The basic crux behind the unscheduled SC Failover event observed through the
course of the SSH DSA hostkey generation is : Such key generation exercises are
highly CPU intensive and the time it takes is typically dictated by the inherent
load and the SC's configuration.

In addition, given that DSA key generation generally consumes more compute
resources than similar key gen exercises involving RSA hostkeys, the few minutes
that it may take to generate the DSA hostkey, may result in no health status
being sent from the main SC and received on the spare SC for more than 3
minutes.. which would then trigger an automatic SC Failover event.

Given that such DSA key generation operations are not expected to be a
frequent admin activity, a simple workaround to the anomaly mentioned above
would be to simply disable SC Failover ( i.e., exec "setfailover off" ) prior to
the DSA hostkey gen & re-enabling SC Failover ( i.e., exec "setfailover on" )
after the DSA hostkey generation has successfully completed .

Product
Sun Fire 3800 Server
Sun Fire 4800 Server
Sun Fire 4810 Server
Sun Fire 6800 Server
Sun Fire E6900 Server
Sun Fire E4900 Server

Internal Comments
See CR 6467598

serengeti, amazon, SC, SSH, ssh-keygen, dsa, failover, health status, 3 minutes, ScApp
Previously Published As
87020

Change History

Product_uuid
29d05214-0a18-11d6-92b2-a111614865b5|Sun Fire 3800 Server
29d3a694-0a18-11d6-92da-df959df44cdd|Sun Fire 4800 Server
29d6f808-0a18-11d6-8aa8-943929fbbdd8|Sun Fire 4810 Server
29da7938-0a18-11d6-8a41-9ed1ad6d6779|Sun Fire 6800 Server
4fe39727-0599-11d8-84cb-080020a9ed93|Sun Fire E6900 Server
bed24aa9-0598-11d8-84cb-080020a9ed93|Sun Fire E4900 Server

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback