Skip to content


VIOS Advisor Explained

“The goal of the VIOS advisor is not to provide another monitoring tool, but instead have an expert system view performance metrics already available to the customer and make assessments and recommendations based on the expertise and experience available within the IBM systems performance group.”

Sounds interesting? It does? Follow this link to the latest article by Rob McNelly in the “IBM Systems Magazine“, AIX edition.

Posted in AIX, Real life AIX.

Tagged with , , , .



LDAP users can log into AIX with no or invalid password

Apparently it is nice to be liked. Today, I installed ldap client on a set of Oracle test machines and shortly later Adi tells me that he can ssh to other hosts without a password or with a wrong one. Oops, a big Oops indeed …. .

These two machines are running AIX 6.1.6.4 and all other ones that I have switched into TDS/AD authentication are AIX 6.1.6.5 or 6.1.6.6 and they do not demonstrate this dangerous “abilities”. The few hosts with LDAP client running AIX 5.3.12.2 also do not show this behavior.

This dangerous issue apparently is specific to 6.1.6.4 which explain why any earlier or later OS versions do not show it. IBM has an emergency fix neutralizing this problem which is know as IZ97416. To install it execute:

emgr -e IZ97416.110329.epkg.Z

Now, do verify that the previous password-less logins from the AIX 6.1.6.4 LDAP client to other AIX hosts are no longer possible.

Posted in ldap, Real life AIX.

Tagged with , , , , , , .


TDS Server refuses to START…… error: GLPRDB111E

Yesterday, I got a fair share of excitement. One of my TDS servers mysteriously stopped working…. Looking in the ibmslapd.log I found staring back at me this message:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

This entry from one of KnowWiki pages provided the solution:

Make sure your instance name user is active and has the active password.

OK, I open a new putty session and log-in with the instance name user. AIX immediately responds announcing that this user password expired and need to be changed…. ! I know what to do next – after I log-in and su -, I execute the pwdadm -c instance_name followed with chuser rlogin=false expires=0 instance_name so this user password never expires and simultaneously the remote log-in ability is removed from this account to make it more secure. Next, I start the TDS instance which comes alive like nothing ever happened.

Now, do repeat the same steps on the other TDS servers, please.

Well, I was a happy AIX administrator for very short….. The next re-start produced this:

12/15/11 09:03:43 GLPRDB111E The server is unable to use the username and password combination for the DB2 instance owner in the configuration file to establish a connection to the database.

It seems appropriate to investigate the ibmslapd.conf file. What helped me was a fully functional second TD server (peer). I noticed that the non-functional server in its ibmslapd.conf files showed a wrong key file name and location. In my case these should be located in the directory /etc/security/ldap with the file name always as ServerKey.kdb name like that:

/etc/security/ldap/ServerKey.kdb

The configuration file had instead:

ibm-slapdSslKeyDatabase:/opt/IBM/ldap/V6.3/etc/ldapkey.kdb
ibm-slapdsslkeydatabasepw: {AES256}3yBk0e0qwzqL7/glbBSodA==

I recognized that I have to change the first entry to correctly identify location of the GSK key database. The second issue to deal with was to re-create the encrypted password…… This step requires creation of a simple LDIF file:

dn: cn=SSL, cn=Configuration
changetype: modify
replace: ibm-slapdSslKeyDatabasepw
ibm-slapdSslKeyDatabasepw: abcABC123

The abcABC123 represent the un-encrypted password used to create (stashed into) the file ServerKey.kdb. The command ldapmodify will update TD server configuration and encrypt the password.

ldapmodify -D cn=root -w Admin_Password -i update.ldif

The first time it did not work because LDAP server was down, I restarted it in configuration mode and this time ldapmodified did work. To end my misery, I rebooted the server. After a few minutes execution of idsldapsearch over SSL from AIX client against each TD servers worked, finally!

ldapsearch -h aixtds1 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

ldapsearch -h aixtds2 -Z -K /etc/security/ldap/ClientHost.kdb \
 -P abcABC123 -b "" -s base objectclass=*

Posted in ldap, Real life AIX.

Tagged with , , , , , , .


IBM Power Systems Hardware Information Center

can be usefull to know about this place – “IBM Power Systems Hardware Information Center“.

Posted in AIX.

Tagged with , .


Pass Through Authentication between TDS Ldap servers and ActiveDirectory over SSL

I installed two IBM Tivoli Directory Servers (LDAP), configured replication between them (Peer to Peer) and finally set the PTA to AD servers for logins and passwords – no more separate login to Windows or AIX, no separate password standards, attributes to maintain….

To set SSL based authentication between AIX based TDS and clients was easy. You can find an excellent directions following this link: http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg21254270
By the way if you want to enable SSL to the Management Console (the Web Admin Tool) follow this link: http://www-01.ibm.com/support/docview.wss?rs=767&context=SSVJJU&dc=DB520&uid=swg21254990&loc=en_US&cs=utf-8&lang=en (thanks Debra from IBM LDAP support :-D)

Then you have to set each AIX client to enable SSL communication between them and TD servers.

Finally, the Pass Through authentication between each TD server and Active Directory server has to be be modified to use SSL too. Follow the rest of this post to see how this could be done without using ikeyman – this utility is not working for me. I get these silly messages saying “The CMS Java native library was not found. Please make sure the SSL component required ........ .” and I have opened a PMR in this regard – will post the resolution as soon as I get it.

Posted in ldap.

Tagged with , , , , , , , , , .


Recovering root password using NIM

It happens, not often but it does and when it does it usually sucks. If nothing else is available to you to reset the root password but this “environment” has a working NIM server you may try the procedure documented under this link http://www.symmetricwebsites.com as the “AIX: Recovering A Lost Root Password On A P-Series LPAR, Using A NIM Server”.
Whoever created documents there did a really splendid job. I believe many will find this site useful.

The same can be done without a NIM server using AIX installation media. But then “somebody” has to travel to insert the media into the host with unknown root password.

Posted in AIX, Real life AIX.

Tagged with , , , , .


Fixing a virtualized rootvg

The basic fact of life – “in places with multiple system administrators sometimes one “steps on the toes of another”. Recently, It happend to me.
A host, which previously was configured to boot of a mirror rootvg with each of its disk delivered from one of two VIO servers reported one of the disks as missing. A collague, told me that by a mistake he took one of “mine” vfscsi adapters and used it for the partition he was building. Recognizing the error, he returned the adapter back. It is not all bad as it seems. First, “my” host is still not in production mode. Second, I have something to blog about!

Posted in Real life AIX.


Dynamic Logical Partitioning does not work

Yesterday, I found an article describing the most common reason for DLPAR operations failures.
It can be found here “The most common reasons for failures with Dynamic Logical Partitioning

Keep reading – “Checking status of the RMC connection on IVM and HMC using rmcdomainstatus

Posted in HMC, Real life AIX.

Tagged with , , , .


line termination problems using SFTP

I found a nice article on the OpenVOS blog that shares a lot of detailed information on sftp and the way it moves data between UNIX and Windows. These replacing ftp with sftp may find it very interesting.

Here it is “Line Termination Problems Using SFTP“.

Posted in AIX, Real life AIX.

Tagged with , , , .




Copyright © 2015 - 2016 Waldemar Mark Duszyk. - best viewed with your eyes.. Created by Blog Copyright.