TIP: Update_All in AIX v5.3 v6.1 v7.1

http://www-01.ibm.com/support/docview.wss?uid=isg3T1010755

 

Question

What is the recommended process for upgrading to a new Technology Level or Service Pack in AIX ?

Answer

— Updating to a New Technology Level or Service Pack —
Update_All in 5.3, 6.1, and AIX 7
This document describes the recommended preparation and process when considering updating your system to a new technology level or adding a service pack to an existing technology level. In all we will review some key words and terminology, run through recommended pre-checks, discuss the update_all process using both SMIT and command line, and finally post-checks & FAQ.

Updating AIX v5.3 v6.1 v7.1 to a new Technology Level or Service Pack.pdf

 

TIP: Bug in AIX, Systems Director Common Agent (cas agent) ; root files up with bogus /dev file /dev/null 2>&1

================================================================

If you have root filling up and see a bogus file in /dev:

-rw-r–r–    1 root     system         861 Sep 27 19:14 null 2>&1

 

Then you are having the following issue with the Systems Director Common Agent (cas agent).  reference:

Director Agent 6.2.1 on AIX Might Fill Up / Filesystem

http://www-304.ibm.com/support/docview.wss?uid=nas74d33539b559cc0308625792900533a8f

 

Also, here’s good write up on how to check why root file system is full:

/ (root) overflow

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.baseadmn/doc/baseadmndita/fsrootover.htm

PowerHA: PREVENT EMAIXOS (HARMAD) FROM RUNNING IN HACMP ON AIX 6.1

Many thanks to a great customer for having me add this to the blog…

We’ve recently run into this and it’s pretty much benign, but annoying.  The apar’s not new (2010), but our version of Hacmp did not have the apar in it.  Only caveat I found is that it appears this subsystem is still required for Oracle 9i (which explains why it’s not part of the standard release of hacmp).

Link:  http://www.ibm.com/support/docview.wss?uid=isg1IZ86787

IZ86787: PREVENT EMAIXOS (HARMAD) FROM RUNNING IN HACMP ON AIX 6.1

Error description

This is a code change in RSCT to stop running the emaixos

subsystem (harmad process) in PowerHA clusters on AIX 6.1.

See APAR IZ47424 for more background.

Problem summary

While existing levels of PowerHA may still be supporting

applications which are dependent on the RSCT subsystem

“emsvcs” (haemd process), its supporting subsystem “emaixos”

(harmad process) is not needed even on those clusters.

 

This harmad process has also been the source of most of the

recent incompatability issues with the latest levels of

AIX 6.1, generating error messages or core dumps which demand

attention and time from system admins even though the process

itself no longer provides useful services.

nmon Analyser Version 3.4 = Just Released, Get Your Copy Today

https://www.ibm.com/developerworks/mydeveloperworks/blogs/aixpert/entry/nmon_analyser_version_3_4_just_released_get_your_copy_today11?lang=en

image
Stephen Atkins (the Guru behind the nmon Analyser) has released a new version – two days ago.  This includes loads of improvements and some new features.  Best of all – less problems running on newer Excel releases (it works around inconsistencies with the Microsoft API).

 

 

I have always said that at least 50% of the popularity of my nmon is down to the excellent Analyser graphs. Very few people regularly see the online screen view.

 

 

 

Thanks again Steve, for all your many hours of hard work in your personal time on the behalf of the tens of thousands of nmon users.

 



  Download the new nmon Analyser version today from the nmon Analyser web page
or remember this URL   http://tinyurl.com/nmonanalyser

 

 

 

  Also note in the ZIP file there is the updated nmon Analyser documentation and answers to many common questions.

 

  If I get asked one more time: “What is a Weighted Average?”
  I might explode!    RTFM = Read The Flaming Manual.

 

 

 

 I ripped the below from that web page, to wet your appetite:

 

 

 

Version 3.4

 

  • Improved support for Excel 2007 and 2010
  •  

  • Support for 64-bit Windows
  •  

  • Ability to specify time values instead of interval numbers
  •  

  • Wildcard support in LIST
  •  

  • Limit the overall number of CPU, PhysicalCPU and SharedCPU sheets generated
  •  

  • Add graphs for the PCPU and SCPU sheets
  •  

  • Correct handling of the DISKRXFER sheet
  •  

  • Fix a bug with the MERGE option
  •  

  • Automatically include CPU_SUMM, DISK_SUMM and SYS_SUMM in LIST
  •  

NOTE:  V3.4 is designed for use with topas/nmon but will work with most older versions.   In case of problems analysing older files, try using V3.2.7

 

 

 

 

 

 

 

FLASH: AIX NFSv4 vulnerability

 

VULNERABILITY: AIX NFSv4 vulnerability

PLATFORMS: AIX 5.3, 6.1, and 7.1 releases

SOLUTION: Apply the fix as described below.

THREAT: See below

CVE Numbers: CVE-2012-4817

Reboot required? YES
Workarounds? NO
Protected by FPM? NO
Protected by SED? NO

===============================================================================
DETAILED INFORMATION

I. DESCRIPTION ( From cve.mitre.org)

GID in NFSv4 is loosely enforced.

II. CVSS

CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78431 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

III. PLATFORM VULNERABILITY ASSESSMENT

Note: To use the following commands on VIOS you must first
execute:

oem_setup_env

To determine if your system is vulnerable, execute the following
command:

lslpp -L bos.net.nfs.client

The following fileset levels are vulnerable:

AIX Fileset Lower Level Upper Level
——————————————————————
bos.net.nfs.client 5.3.12.0 5.3.12.5
bos.net.nfs.client 6.1.6.0 6.1.6.17
bos.net.nfs.client 6.1.7.0 6.1.7.2
bos.net.nfs.client 7.1.0.0 7.1.0.20
bos.net.nfs.client 7.1.1.0 7.1.1.3

IV. SOLUTIONS

A. APARS

IBM has assigned the following APARs to this problem:

AIX Level APAR number Availability
—————————————————
5.3.12 IV17855 Available as of SP6
6.1.6 IV10327 Available as of SP7
6.1.7 IV11629 Available as of SP3
7.1.0 IV26436 12/12/12 sp8
7.1.1 IV12169 Available as of SP4

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IV17855
http://www.ibm.com/support/docview.wss?uid=isg1IV10327
http://www.ibm.com/support/docview.wss?uid=isg1IV11629
http://www.ibm.com/support/docview.wss?uid=isg1IV26436
http://www.ibm.com/support/docview.wss?uid=isg1IV12169

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.

B. FIXES

Fixes are available. The fixes can be downloaded via ftp
from:

ftp://aix.software.ibm.com/aix/efixes/security/nfsv4_fix1.tar

The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.

AIX Level Interim Fix (*.Z)
——————————————————————-
7.1.0.7 IV26436s07.120907.epkg.Z

VIOS Level Interim Fix (*.Z)
——————————————————————-
2.2.1.4-FP-25 SP-02 Included in current SP

To extract the fixes from the tar file:

tar xvf nfsv4_fix1.tar
cd nfsv4_fix1

Verify you have retrieved the fixes intact:

The checksums below were generated using the
“csum -h SHA1” (sha1sum) command is the followng:

csum -h SHA1 (sha1sum) filename
——————————————————————
8f42e3c1a5eb3a0d73d7be8d38265544f9abd866 IV26436s07.120907.epkg.Z

To verify the sum, use the text of this advisory as input to sha1sum.
For example:

csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc

These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

C. FIX AND INTERIM FIX INSTALLATION

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

To preview a fix installation:

installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:

installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.

Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.

V. WORKAROUNDS

There are no workarounds.

VI. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

http://www.ibm.com/systems/support

and click on the “My notifications” link.

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Send an email with “get key” in the subject line to:

security-alert@austin.ibm.com

B. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

C. Download the key from a PGP Public Key Server. The key ID is:

0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.

VII. ACKNOWLEDGMENTS

IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.

VIII. REFERENCES:

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/78431
CVE-2012-4817: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4817

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the links
in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES
“AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.

AIX Shell Scripting Made Easy

http://www.ibmsystemsmag.com/aix/administrator/security/shell_easy/?page=1

AIX Shell Scripting Made Easy

September 2012 | by Andrew Wojnarek

In “AIX Shell Scripting Made Simple,” I explained the basics of shell scripting and why it’s so useful. However, it’s not only simple, but easy! Delving further, we’ll see how easy and powerful this tool can be. Additionally, we’ll explore building more advanced borne shell scripts as well as perl “one-liners” for certain situations.

As you may know, IBM releases security vulnerability information for AIX. The site usually gives a description of the vulnerability, fileset levels it effects and where to find the PTF/EFIX. So the script, if built right, will go out to all your servers and detect whether they’re vulnerable.

The Shell Script

The mockup script shown here assumes you have keys set up to SSH out to each server. It does not have to be run as root. The entire shell script, without comments, can be found here.

#!/usr/bin/env sh
# Checks for vulnerability in AIX RPC first issued May 8th.     

#############
# Variables #
#############
# These are all the levels vulnerable to this exploit.
_vulnerable_levels=(  "5.3.12.0" "5.3.12.1" "5.3.12.2" "5.3.12.3"
 "5.3.12.4" "5.3.12.5" "6.1.5.0" "6.1.5.1" "6.1.5.2"
 "6.1.5.3" "6.1.5.4" "6.1.5.5" "6.1.5.6" "6.1.5.7"
 "6.1.6.0" "6.1.6.1" "6.1.6.2" "6.1.6.3" "6.1.6.4"
 "6.1.6.5" "6.1.6.6" "6.1.6.7" "6.1.6.8" "6.1.6.9"
 "6.1.6.10" "6.1.6.11" "6.1.6.12" "6.1.6.13" "6.1.6.14"
 "6.1.6.15" "6.1.6.16"  "6.1.7.0" "6.1.7.1" "7.1.0.0"
  "7.1.0.1"  "7.1.0.2"  "7.1.0.3"  "7.1.0.4"  "7.1.0.5"
  "7.1.0.6"  "7.1.0.7"  "7.1.0.8"  "7.1.0.9"  "7.1.0.10"
  "7.1.0.11"  "7.1.0.12"  "7.1.0.13"  "7.1.0.14"  "7.1.0.15"
  "7.1.0.16" "7.1.0.17" "7.1.1.0" "7.1.1.1" )

This produces an array with the filesets affected by this vulnerability, which is important because we need to define all of the vulnerable filesets. You can find these values on the site where the vulnerability is defined.

_ssh_opts='-q -o BatchMode=yes -o ConnectTimeout=20
 -o ConnectionAttempts=1 -o ClearAllForwardings=yes'

This indicates the options we’re going to use to SSH to each servers. You can change these without affecting the script output.

# Makes text bold.
_b=`tput smso`

# Unset text bold.
_nb=`tput sgr0`

_date=`date +"%m%d%y_%H%M%S"`

_hosts="host1 host2 host3"

This variable specifies which servers you want to use. If you don’t set it, it won’t work.

for _host in ${_hosts}
do
        # Go out to the server and make sure it is AIX.
 If it's not, skip it.
        _uname=`ssh ${_ssh_opts} ${_host} "uname"`
        if [ "${_uname}" != "AIX" ]; then
                continue
        fi

        # Get the fileset level for bos.net.tcp.client
        _actual_host_level=`ssh ${_ssh_opts} ${_host} "lslpp -L bos.net.tcp.client | grep
 bos.net.tcp.client | awk '{ print \\$2 }'"`

The line above SSHs out to the server, ${_host}, and gets the value for the affected fileset—in this case bos.net.tcp.client.

        # Failure counter.
        _fail=0

        # Main loop.
        for _vulnerable_level in ${_vulnerable_levels[@]} #

(Notice the [@], which represents the entire array.)

        do
                # If the values from our array match actuals, then say so.
                if [ "${_actual_host_level}" = "${_vulnerable_level}" ]; then
                        printf "${_host} is vulnerable with bos.net.tcp.client of 
${_actual_host_level}.\n"     | tee -a rpc.scan.${_date}
                        _fail=`expr ${_fail} + 1`
                fi
        done

Here is the loop where we take the value of the fileset from our server and compare it to the filesets in our array.

        # If our failure counter hasn't gone off, then declare us not vulnerable.
        if [ ${_fail} -eq 0 ]; then
                printf "${_host} is not vulnerable.\n" | tee -a rpc.scan.${_date}
        fi
done

Perl One-Liners

Perl one-liners are extremely versatile tools. While probably not needed every day, they’re great to write down and keep handy, when needed. Having that perfect one-liner you need is often impressive to those around you. While, not critical, it’s kind of cool:

1. Convert Epoch (UNIX time; since January 1st 1970) to human readable time.

perl -e 'print scalar(localtime(EPOCHTIME)), "\n"'

Example:

[root@aix61-03]/root> perl -e 'print
 scalar(localtime(1342885345)), "\n"'
Sat Jul 21 11:42:25 2012

This one is very useful on AIX for determining the last time a user changed his or her password. To do so, look in the /etc/security/passwd file. It will look like this:

root:
        password = encryptedpassword
        lastupdate = 1311019884

So take the lastupdate epoch time number, and place it inside the perl parentheses to get the last time the password was changed.

2. Remove all blank lines from a file.

perl -ne 'print unless /^$/' FILE

Example:

This is our test file:

[root@gvicaix61-03]/root> cat test
This is a line

This is a space ^

This is two spaces ^

This is using our one-liner:

[root@aix61-03]/root> perl -ne 'print unless /^$/' test
This is a line
This is a space ^
This is two spaces ^

3. Insert line numbers on a file.

perl -ne 'print "$. $_"' FILE

Example:

[root@aix61-03]/root> perl -ne 'print "$. $_"' test
1 This is a line
2
3 This is a space ^
4
5
6 This is two spaces ^

As we moved beyond the basics of shell scripting, creating arrays, comparing values and understanding more advanced logic are important lessons to learn. The perl one-liners are an excellent resource to keep in your back pocket as well. In my next shell scripting article, we’ll dive into more advanced borne scripting, and introduce other languages well-suited for sysadmin tasks.

Planning a two-node IBM PowerHA SystemMirror cluster: Six must-know items

http://www.ibm.com/developerworks/training/kp/au-kp-powerha_cluster/index.html?cmp=dw&cpb=dwaix&ct=dwnew&cr=dwnen&ccy=zz&csr=091412

 

Planning a two-node IBM PowerHA SystemMirror cluster: Six must-know items

 

 

1. What is PowerHA SystemMirror for AIX?

Get an overview of the IBM PowerHA® SystemMirror high-availability (HA) solution, find out what it protects and learn about its product architecture.

 

READ: Introduction to PowerHA

 

READ: IBM PowerHA SystemMirror 7.1 for AIX, chapters 1 and 2 

 

2. Infrastructure planning and configuration

To plan and implement a two-node PowerHA cluster, you should determine what version of PowerHA you will implement, what version of the IBM AIX® operating system will be required, how you will handle Ethernet network and storage redundancy, and lastly, how many PowerHA nodes will be in the cluster.

 

READ: Planning PowerHA SystemMirror, topics “Planning cluster network connectivity,” “Planning shared disk and tape devices” and “Planning shared LVM components” 

 

READ: IBM PowerHA SystemMirror 7.1 for AIX, chapter 3 

 

WATCH: PowerHA7.1 Part 2 SMIT configuration 

 

3. Application planning and configuration

Learn how to use Smart Assists to simplify application planning and configuration. Manual configuration is also available.

 

READ: Planning PowerHA SystemMirror, topics “Planning Resource Groups” and “Applications and PowerHA SystemMirror”

 

READ: The topic pertinent to your application to consider using Smart Assists in the information center. 

 

READ: IBM PowerHA SystemMirror 7.1 for AIX, chapter 6 

 

4. Configure the application into PowerHA

Use either SMIT or the PowerHA SystemMirror IBM Systems Director plug-in to create the PowerHA cluster, nodes, networks, resources and resource groups.

 

READ: IBM PowerHA SystemMirror 7.1 for AIX, chapter 5 

 

WATCH: Configuring a PowerHA SystemMirror V7.1 for AIX Cluster – IBM Training 

 

READ: Installing PowerHA SystemMirror

 

READ: clmgr: A Technical Reference

 

5. Test the configured cluster

Learn about various test plans and simulations to help you determine if PowerHA is configured and working correctly. After you have created the cluster, run the test plan, documenting behaviors and resolving problems.

 

READ: IBM PowerHA SystemMirror 7.1 for AIX, chapter 9 

 

WATCH: PowerHA7.1 Part 4 HA in action 

 

6. What PowerHA course is right for my environment and administering my PowerHA cluster?

For more detailed information and lab exercises, consider IBM Training. A PowerHA SystemMirror for AIX cheat sheet is also included.

 

WATCH: What’s new in IBM Training’s PowerHA curriculum 

 

READ: IBM PowerHA for AIX System Administration Training

 

READ: The PowerHA for AIX (formerly HACMP) cheat sheet

Tip: Renaming AIX Devices

In AIX 6.1 TL6 and AIX 7.1 a new command was introduced to rename
devices in AIX, “rendev”. This makes keeping your rootvg on hdisk0
(and hdisk1) and preserving device naming consistency across VIO and
HACMP nodes simple!

http://pic.dhe.ibm.com/infocenter/aix/v6r1/topic/com.ibm.aix.cmds/doc/aixcmds4/rendev.htm

rendev -l device -n newname

A few caveats for your readers:

– Renaming devices should always be done while the device is in a
“Defined” state (ie: after “rmdev -l”), it cannot be used on active
PVs in a VG or other online devices. “rendev” can do this for you,
but it is better to prepare the devices yourself.

– Renaming ethernet (entX) adapters requires either manually renaming
the enX and etX adapters, or removing them and once the entX device
has been renamed “cfgmgr” will create matching enX & etX devices.

– Renaming fiber cards (fcsX) requires all child devices be renamed
manually. This includes fcsX, fscsiX, fcnetX, and sfwcommX. Use
“rmdev -Rl fcsX” to unconfigure all the parent and child devices
into the “Defined” state, and then rename them. “cfgmgr” will not
name the child devices to match.

– I would recommend using “rendev” for renumbering like devices (ie:
ent2 -> ent11), not giving devices new name prefixes (ie: ent2 ->
lan3).

– Renaming device paths that are used by other device drivers (ie:
Powerpath) may cause issues.