Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1011148.1
Update Date:2010-05-28
Keywords:
Solution Type  Technical Instruction Sure

Solution  1011148.1 :   Sun Fire[TM] 3800/48x0/E4900/6800/E6900: Unscheduled System Controller (SC) Failover upon generation of SSH DSA hostkey  

Related Items 
    

  • Sun Fire E6900 Server
    •  
  • Sun Fire 3800 Server
    •  
  • Sun Fire 6800 Server
    •  
  • Sun Fire E4900 Server
    •  
  • Sun Fire 4800 Server
    •  
  • Sun Fire 4810 Server
    •  
Related Categories 
    

  • GCS>Sun Microsystems>Servers>Midrange Servers
    •  

PreviouslyPublishedAs
215331 




Applies to: 
 
Sun Fire 3800 Server
Sun Fire 4800 Server
Sun Fire 4810 Server
Sun Fire 6800 Server
Sun Fire E4900 Server
All Platforms



Goal

The ScApp CLI "ssh-keygen" facilitates the generation or display of Secure 
Shell (SSH) hostkey fingerprint within the ScApp environment. This document 
discusses an  anomaly observed in the course of using the "ssh-keygen" CLI to 
generate a DSA hostkey.


Solution


Steps to Follow
The ScApp CLI "ssh-keygen" facilitates the generation or display of Secure 
Shell (SSH) hostkey fingerprint within the ScApp environment. The SSH-2 procotol 
uses Digital Signature Algorithm (DSA) based authentication & ScApp's "ssh-
keygen" provides both RSA and DSA hostkey support. The Digital Signature 
Algorithm (DSA), was originally developed by the US National Security Agency 
(NSA) and is part of the Digital Siganture Standard (DSS). 

This document discusses an  anomaly observed in the course of using the "ssh-
keygen" CLI to generate a DSA hostkey : i.e., 

The following ScApp platform logs were captured on the main / spare SCs :

original main SC ( sc1 ) :

v4u-4800c-sc1:SC> ssh-keygen -t dsa
Creating DSA host key may take several minutes.
DSA host key generated.
Use 'restartssh' to restart the SSH server with the new host key.
A restart of the SSH server on the spare SC is also required.
Sep 06 11:12:17 v4u-4800c-sc1 Platform.SC: Stopping all services on this SC
Sep 06 11:12:17 v4u-4800c-sc1 Platform.SC: All services on this SC have been 
stopped.

original spare SC ( sc0 ) :

Sep 05 20:11:39 v4u-4800c-sc0 Platform.SC: SC Failover: no health status 
received from the other SC for 3 minutes
Sep 05 20:12:09 v4u-4800c-sc0 Platform.SC: SC Failover: becoming main SC ...
Sep 05 20:12:20 v4u-4800c-sc0 Platform.SC: SC Failover: disabled
Sep 05 20:12:27 v4u-4800c-sc0 Platform.SC: Chassis is in single partition mode.
Sep 05 20:12:37 v4u-4800c-sc0 Platform.SC: Main System Controller
Sep 05 20:12:57 v4u-4800c-sc0 Platform.SC: Clock failover enabled.
Sep 05 20:13:56 v4u-4800c-sc0 Platform.SC: Frame Manager connected. ID: 080020:
ffa74a


Although, the DSA hostkey actually got generated & reported on the new main SC 
: 

v4u-4800c-sc0:SC> ssh-keygen -l -t dsa
97:ea:bf:b8:6c:69:ac:11:14:30:45:37:5d:44:26:70 (DSA host key)

the DSA host key generation operation did trigger an unscheduled SC Failover 
event.

The basic crux behind the unscheduled SC Failover event observed through the 
course of the SSH DSA hostkey generation is : Such key generation exercises are 
highly CPU intensive and the time it takes is typically dictated by the inherent 
load and the SC's configuration. 

In addition, given that DSA key generation generally consumes more compute 
resources than similar key gen exercises involving RSA hostkeys, the few minutes 
that it may take to generate the DSA hostkey, may result in no health status 
being sent from the main SC and received on the spare SC for more than 3 
minutes.. which would then trigger an automatic SC Failover event. 

Given that such DSA key generation operations are not expected to be a 
frequent admin activity, a simple workaround to the anomaly mentioned above 
would be to simply disable SC Failover ( i.e., exec "setfailover off" ) prior to 
the DSA hostkey gen & re-enabling SC Failover ( i.e., exec "setfailover on" ) 
after the DSA hostkey generation has successfully completed .

Product
Sun Fire 3800 Server

Sun Fire 4800 Server

Sun Fire 4810 Server

Sun Fire 6800 Server

Sun Fire E6900 Server

Sun Fire E4900 Server


 Internal Comments

 See CR 6467598



 serengeti, amazon, SC, SSH, ssh-keygen, dsa, failover, health status, 3 minutes, ScApp

 Previously Published As

 87020



 Change History



 Product_uuid

 29d05214-0a18-11d6-92b2-a111614865b5|Sun Fire 3800 Server

 29d3a694-0a18-11d6-92da-df959df44cdd|Sun Fire 4800 Server

 29d6f808-0a18-11d6-8aa8-943929fbbdd8|Sun Fire 4810 Server

 29da7938-0a18-11d6-8a41-9ed1ad6d6779|Sun Fire 6800 Server

 4fe39727-0599-11d8-84cb-080020a9ed93|Sun Fire E6900 Server

 bed24aa9-0598-11d8-84cb-080020a9ed93|Sun Fire E4900 Server



Attachments

This solution has no attachment


















       

Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.

 Feedback