To allow SSH switchovers between HANA ECSs and NAT servers, you must configure the ECSs and HANA ECSs to be trusty.
When creating the NAT server, you specify the certificate key file (.pem file) for the NAT server.
The .pem file is used to generate the .ppk file. For details, see section Logging In to a Linux ECS Using an SSH Key.
Use WinSCP to upload the certificate private key file (.pem file) to the /usr directory on the NAT server using an elastic IP address. Ensure that user root and the key file (.ppk file) are used for authentication.
For example, if the original file name is private.pem, run the following commands to rename it:
cp /usr/private.pem /root/.ssh/id_rsa
chmod 600 id_rsa
The command is in the following format:
scp /root/.ssh/id_rsa Peer IP address:/root/.ssh/id_rsa
scp /root/.ssh/authorized_keys Peer IP address:/root/.ssh/
For example, if the peer IP address is 10.0.3.102, run the following commands:
scp /root/.ssh/id_rsa 10.0.3.102:/root/.ssh/id_rsa
scp /root/.ssh/authorized_keys 10.0.3.102:/root/.ssh/
Use SSH to switch from the NAT server to all nodes excepting the SAP HANA Studio node for verification.
Switch to an SAP HANA node. Assume that the IP address of the server/client plane of the SAP HANA node is 10.0.3.2.
After the switching, you must switch back to the NAT server. Then, verify the switching from the NAT server to other nodes.
During the first switching, the system displays the fingerprint as well as the message "Are you sure you want to continue connecting (yes/no)?". In such a case, enter yes and continue the switching.