Skip to content


ikeyman and getting it to work for you….

Well, I am not suggesting that there is something wrong with it, some error or something as bad. Just that in my case, in order to get the “CMS key database type” as one of the options, I had to do the following:

1. update my .profile to include these two directives:

export JAVA_HOME=/usr/IBM/HTTPServer/java

export PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb/usr/bin/X11

These directive re-point JAVA to the ikeyman own JAVA file sets. PATH is not pointing to any AIX JAVA directories….

2. update the file $JAVA_HOME/jre/lib/security/java.security to add these two lines (to make ikeyman aware of CMS):

security.provider.X=com.ibm.security.cmskeystore.CMSProvider
security.provider.X+1=com.ibm.crypto.fips.provider.IBMJCEFIPS

where, X and X+1 are the next consecutive numbers.

For a nice post guiding you through the process of creating key databases, issuing certificates and so forth follow this link http://www-01.ibm.com/support/docview.wss?uid=swg21006430

I reversed my .profile to its original state after I was done using ikeyman.

Posted in ldap.

Tagged with , , , , .


fc_qns on steroids = sanscan

In the past, I learnt to appreciate fc_qns. Lately, I started using its bigger and better “version” called sanscan.
You can get it from an IBM Service engineer. Just call the 1-800-IBM-SERV, open a SAN related PMR and after you are connected with your engineer ask for sanscan. I will have it here as soon as I figure out how to allow downloads from my blog….

If your AIX hosts are SAN attached you must have sanscan, really.

nemo1:MDC:/root>./sanscan

sanscan v2.2
Copyright (C) 2010 IBM Corp., All Rights Reserved


Processing FC device:
    Adapter driver: fcs0
    Protocol driver: fscsi0
    Connection type: fabric
    Local SCSI ID: 0x011e00
    Local WWPN: 0x10000000c9460ab1
    Local WWNN: 0x20000000c9460ab1

Initializing device information...
Scanning SAN...
SCSI ID LUN ID   WWPN    WWNN    Vendor ID Product ID Rev  NACA Qualifier     Device    Type                  Error(s)
---------------------------------------------------------------------------------------------------------------               
070c00  0000000000000000 5005076801302afd 5005076801002afd IBM   2145  0000 yes  Not connected Unknown                or no device
..........................................................................................
..........................................................................................
..........................................................................................

sanscan produces tonns of information that may be priceless for a stressed AIX administrator. Ask for it.

Posted in Real life AIX.

Tagged with , , , , , , .


ssh does not work, really?

You will find a few posts touching ssh “issues” in this blog. This morning, I had to interrupt my daily routine (building, building, and more building for migration from the older to the newest hardware) in order to convert the “old” scripts (rcp based) into the new (scp based) – for the very well known reasons….

Posted in Real life AIX.

Tagged with , , , .


new sshd issues – it keeps dying…

Today, I was made aware that users cannot login (using the Putty/ssh) to one of wpars. Thanks God for the clogin command which allows root logins from the parent partition to any of its wpars (children).
So after I logged in the parent lpar, and executed the clogin followed with the appropriate wpar name I was able to login to check and to fix what’s broken.

Posted in Real life AIX.

Tagged with , , , , , , .


AIX native ACLs – a primer

The triplets of read, write and execute as associated with a file object has been around as long as UNIX. To say that today their usefulness has depreciated is nothing but an understatement. Still, despite the amount of time that has passed since UNIX introductions many sites relies nothing but rwx to set access privileges which results (often and frequently) with file systems/directories being wide open to access by all who can log into the host. Why? Often because of a “conflict of interests”; initially we create numerous groups with the best of intentions which we assign to their respected file systems to quickly yield to the business requirements dictating the the members of one group also be able to access the files in the other file system, and so forth and so forth. I do think that currently the usefulness of the original triplets rwx.

Well, regardless who is right and who is not I want to suggest you introduce yourselves to AIX ACLs, RBAC and maybe even to ACLs NFS v.4 (who knows, maybe this is God gift to AIX administrators?). This post will try to introduce you to the AIX own ACL that deliver a more granular control over file objects. Note that NFS v.4 ACLs delivered far more granular control then AIX native ACLs.

Posted in AIX, Real life AIX.

Tagged with , , , , , , , , , , .



are you looking for AIX administrator?

A colleague and a friend of mine who is a certified AIX/HACMP/VIO/TSM administrator with many years of experience is looking for a new opportunity (preferably in the north-east USA).

If you need an experienced AIX administrator who by the way also knows SAN and VMS then please leave me a comment with your name and email address and/or your cell.
Your “comment” will be 100% private.

Thanks,

MarkD 😀

Posted in Real life AIX.


SDDPCM – change fscsi? attributes without a reboot

It is not difficult to change attributes of a “child” of a fibre channel (FC) adapter (fscsi) operating in the sddpcm environment. The procedure show bellow does not require a host reboot or application downtime.

20% off $75, 25% off $125, 30% off $150 at Sierra Trading Post. Use code: ALAUGUST1. Valid to 9.7.2011

Posted in AIX.

Tagged with , , , , , , , , , .


adding clients to existing VIO environment cont’d.,

The previous post ended at the place where we have recognized that we cannot add any more virtual adapters to the VIO server. The selected by us for the new virtual FC adapter slot number happen to equal to the value of the VIO server maximum number of virtual adapters. With HMC GUI, we modified the value on each VIO server (we have two in this managed “frame”) and after shutting it down, we powered it back using the “activate” the profile option. By the way, we changed the “maximum number of adapters” from 60 to 200.

Unfortunately, what has been described so far is not all. In this environment, VIO clients (partitions) receive their boot disks (the rootvg disks) from each VIO server which means that each time a VIO server goes down on disk from a client rootvg becomes missing and the rootvg becomes stale. This is true for all client partitions for this managed system.

Posted in AIX, Real life AIX, VIO.

Tagged with , , , , , , , , , , , .


Delayed SEA Failover

Yesterday, while failing over a pair of VIO servers, we noticed that the usual two to three “ping” loss turned into a 40 second delay….. A few partitions with Oracle did not really liked it and crashed. Fortunately for us these were not the “Production” machines just the “Test” and “Development”.
After opening a PMR we speculated for a while about the fact that our “SEA” adapters have several vlan tags associated with and maybe this is the reason for the delay. Well, today we know more and do not need to speculate.
Please follow the link bellow which not only shows how to perform SEA failover and how to test it but also indicates that the presence of the “Spanning Tree Protocol” could be responsible for our experience – the long delay in network services for VIOS clients.

Here is the link: https://www-304.ibm.com/support/docview.wss?uid=isg3T1011063


Posted in AIX, Real life AIX.

Tagged with , , , , , , .




Copyright © 2015 - 2016 Waldemar Mark Duszyk. - best viewed with your eyes.. Created by Blog Copyright.