AIX Developers will discuss the latest in AIX technologies.
aixdevblog 270001CDF4 Tags:  nfs kerberos network authentication ibm service 5 Comments 7,830 Visits
Hello Security Conscious Practitioners - or better should I say - Kerberos Loving People - they are synonyms - aren't they !
I am Sandeep R Patil working and interested with security , storage and related stuff & I plan to blog on some of the features with IBM NAS (Network Authentication Service and not Network attached storage :-) , in this context.
IBM released IBM Network Authentication Service Version 220.127.116.11 (IBM Kerberos - based on MIT Kerberos) in its latest AIX expansion pack and Web download (https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp) Thoughts its a minor release, but it has some good features bundled with it. Following are their titles as listed in the Readme. - TCP protocol support for KDC (AIX only) - "ticket_lifetime" configuration relation support in krb5.conf file - Post Run scripts for kinit and kdestroy commands - Support for encrypted LDAP bind password - Circular logging for IBM Network Authentication Service daemons - Recertification with IBM Tivoli Directory Server (ITDS) 6.1
In this blog I will like to elaborate on "Post Run scripts for kinit and kdestroy commands ". Many would have the following questions in mind:- What is this feature ?- Is it applicable to me ?- I already have wrapper scripts for Kerberos utilities like kinit/kdestroy Do I still need to worry ?
Well, basically this feature allows administrators to notify the successful execution of kinit and kdestroy commands to other dependent kerberized applications and take appropriate actions. Vague/ meaningless ? Lets dig little more into this:
I understand that administrators can have their own wrapper scripts which can do more or less what the feature does. But there are couple of exceptions. For example, there will be practitioners whose end users directly make use of the "kinit/kdestroy" programs and we still want to make sure that the post scripts are called (every customers may not have the wrappers). Moreover these scripts will be called only if "kinit" and "kdestroy" run successfully to completion. So if kdestroy fails for some reason , then its post script will not be called. This is very vital and will possibly be missing in custom made wrapper scripts ( as they would not know if kdestroy actually deleted the credential or failed for some valid reason ).
To further emphasize its necessity: Many Kerberos applications like NFS V4 or DB2 plug-in or custom made Kerberos applications read the Kerberos credential and load it into their memory. During these times if the credential is destroyed using "kdestroy" or renewed using "kinit" there is no means to notify such independent applications that they need to delete the respective credential in their memory (unless the kerberized application keeps polling). These scripts will help do this. Now if you are using Kerberized AIX NFS V4, you might be aware of nfsauthreset command. Today, the user has to explicitly execute the NFS V4's nfsauthreset command after execution of kinit/kdestroy. With this feature, once the administrator puts the nfsauthreset command in the kinit and kdestroy post scripts (Two new file called post_kinit_script.sh and post_kdestroy_script.sh created under /etc/krb5 directory) Kerberos credential notification will become seamless. I think this is a very necessary feature and if you are using Kerberized AIX NFS V4 - you are absolutely applicable :-) !
Reference:nfsauthreset Command - Notifies the Network File System (NFS) kernel extension to destroy the appropriate Generic Security Service API (GSSAPI) credentials from the kernel credentials cache.http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds4/nfsauthreset.htm
Feel free to pass in your comments !
Till next time,Chio - Sandeep
PS: Handy related linkshttp://www.ibm.com/developerworks/aix/library/au-nas_relatedtech/http://www.alphaworks.ibm.com/tech/nasgui/[Read More]
Hi there! Today I’d like talk a little bit about the latest technology in the virtualization area – NPIV. NPIV is an acronym for N Port ID Virtualization. N_Port ID Virtualization is a Fibre Channel (FC) industry standard technology that provides the capability to take a physical Fibre Channel Host Bus Adapter (HBA) port and assign it multiple unique world wide port names (WWPNs). The world wide port names can then be assigned to multiple initiators such as Operating Systems. Thus, NPIV allows physical N_Port to be logically partitioned into multiple logical ports/FC addresses so that a physical HBA can support multiple initiators, each with a unique N_Port ID.
Since NPIV provides a direct access to Fiber Channel adapters from multiple client partitions, it simplifies SAN management. Various SAN management tools and best practices can be applied. For example, LUN mapping/masking, fabric zoning and fabric based QoS and accounting can be employed. With NPIV, multiple client partitions can share a bunch of adapters, yet have independent access to their own storage devices. This results in the most efficient adapter utilization.
NPIV is now supported on selected POWER6 processor-based servers and is included as part of PowerVM Express, Standard, and Enterprise Edition. For more information, checkout the following website:https://www14.software.ibm.com/webapp/set2/sas/f/vios/documentation/home.html
Hi, I’m Julie Craft from AIX development in Austin, TX. We wanted to start a conversation with our customers about some of the function that we ship with AIX, interesting things that are going on and even get feedback.
I’ve been working on install (Image Management), NIM, serviceability and Systems Management since AIX was a young operating system.
One of the functions that I know many customers don’t know about is the ability to run inventory comparisons against NIM resources. You can do this thru smit (smitty invcon) or with the niminv command.
Also, many customers have asked about using NIM to install the VIOS, and while there are separate menus for this (smitty nim_node_tasks), you can also use regular mksysb installation and backup. Just remember to also backup the VIOS clients themselves, as well.
And, don’t forget to use lppmgr on your lpp_sources. This command will remove superseded updates or any language packages you are not using and keep your lpp_sources clean and tidy. More function is coming that will help with management of Service Pack downloads, so stay tuned for that!
Next time I’d like to talk about service & Fix Central a bit.
Other developers are waiting in the wings with their blogs, so I’ll close for now.
Hi there. My name is Thierry , and I provide support for AIX WPAR mobility. And before talking about mobility I wanted to add some comments on system WPARs.
WPAR file system considerations :----------------------------------------------Creating a simple system WPAR with a command like "mkwpar -sn mywpar" will result in creation of file systemsand associated messages : mkwpar: Creating file systems... / /home /opt /proc /tmp /usr /var......
When the file system population is complete, I can review the file system definition with the WPAR characteristics list command root> lswpar -M mywpar
Name Mount Point Device Vfs Nodename Options-------------------------------------------------------------------mywpar /wpars/mywpar /dev/fslv04 jfs2 mywpar /wpars/mywpar/home /dev/fslv05 jfs2 mywpar /wpars/mywpar/opt /opt namefs ro mywpar /wpars/mywpar/proc /proc namefs rw mywpar /wpars/mywpar/tmp /dev/fslv06 jfs2 mywpar /wpars/mywpar/usr /usr namefs ro mywpar /wpars/mywpar/var /dev/fslv07 jfs2
That's it for now - ThanksThierry[Read More]
Hello, it is me again, Thierry.I realized after my first blog that we talked about system and application WPAR but I didn’t come with a why use one or the other.So here are some hints.
All commands should get a man page (for example man mkwpar or man wparexec on your AIX system) which will provide detail of syntax and parameters of them and I recommend to read these pages before using the commands.
One way to choose between a System or an Application WPAR is to answers questions like • Do I need to run multiples processes and daemons ?• Do I need file system isolation (writing to global file systems not an issue) ?• Do I need devices ?• Do I need to log on using telnet/rsh ?• Do I need user management ?
If I answer “yes” to any of these questions, then I want to run System WPAR (see the man page for the mkwpar command) – Otherwise an Application WPAR may be sufficient (see the man page for the wparexec command).
Let think about this, and I will come back soon. Bye for now :-)[Read More]
Hi there. My name is Eric, and I'm one of the developers who created
On the other hand, if you feel so inclined, you can customize almost any aspectof the WPAR's file systems, network configuration, resource controls, RBACprivileges, and more.
In short, a "System" WPAR behaves like its own AIX system. Once logged intoone, you can do almost anything you could do on standalone AIX, and we'rebreaking down the remaining differences with every release.
On the other hand, an "Application" WPAR is a way of encapsulating the process tree of a single running application.
Both types of WPAR provide process isolation. A process running insidethe WPAR can't see or talk to any processes outside of the WPAR, other thanthrough normal channels like TCP/IP. And if you've purchased For a more in-depth introduction to WPARs, I highly recommend Jack's article,AIX 6.1Workload Partitions - Basic management of Workload Partitions in AIX, whichyou can read in just a few minutes. That's it for now. Look for more about WPARs and other juicy topics from me and my colleagues soon. Eric[Read More]
For a more in-depth introduction to WPARs, I highly recommend Jack's article,AIX 6.1Workload Partitions - Basic management of Workload Partitions in AIX, whichyou can read in just a few minutes. That's it for now. Look for more about WPARs and other juicy topics from me and my colleagues soon. Eric[Read More]
That's it for now. Look for more about WPARs and other juicy topics from me and my colleagues soon.
I wanted to touch on a couple of things today: • Changes to Fix Central • IBM Systems Director and Update Manager
Back in 2007, Fix Central (http://www-933.ibm.com/support/fixcentral/main/System+p/AIX) was moved to a new infrastructure. While this gave us some nice new features like Download Director, we had to remove individual PTF / APAR download capability.
The net result is now customers must download the entire TL (which is required because we don’t support partial install/upgrade of a TL anyway) or Service Pack. Once a Service Pack is downloaded, you can select individual PTFs or install by APAR.
Also, the same thing happened with SUMA. If you request an APAR or PTF, the entire Service Pack (or TL) that contains the update will be downloaded.
I’m bringing this up not because I want to get beat up, but because we are working on some code that would allow customers to create a directory/repository with just the updates they want. I know many customers use ‘smitty update_all’ or ‘install_all_updates’ and they only want the updates in the directory or lpp_source that they want applied to their systems, nothing else. This will help create that directory. You can select just the fileset update or APAR and it will copy the required updates and requisites into a separate directory. Stay tuned to another blog and I’ll let you know when the code ships.
Also, if you haven’t already seen it, you can still do searches by fileset or APAR using the ‘Fix Search’ capability.
IBM Systems Director 6.1
Some of you may have seen the announcements for the new IBM Systems Director (http://www-03.ibm.com/systems/management/director/). There is a nice whitepaper out on http://www-03.ibm.com/systems/power/software/management/resources.html on Managing IBM® Power Servers with IBM Systems Director 6.1.
The paper will continue to be updated and in the next round should include more information about the Update Manager capability for AIX, System Firmware and HMC. One thing I will mention here about Update Manager is that it uses NIM to update the AIX systems.
Update Manager gives you the ability to set policies for your systems and flag them if they are out-of-policy. For instance, if you want to keep your systems at the recommended level for a particular Technology Level, you can set that and Update Manager will check the IBM database and let you know if there is a new recommended Service Pack available. Recommended Service Packs have been out in the field for at least 30 days and have no severe problems found.
We will continue to support SUMA for AIX update acquisition, but Update Manager will also download and install HMC and System Firmware updates and we’ll continue adding to that capability, so take a look and let us know what you think.
Until next time,Julie[Read More]
Hi there! My name is Veena. I work in the VIOS development area at IBM. VIOS is an acronym for Virtual I/O Server.
Virtualization is one of the latest buzz words in the industry today. So I wanted to talk a little bit about it in my first blog.
Virtualization was developed when mainframes predominated. But, it is now emerging as an important technology to provide scalability, greater flexibility and increased availability at all levels of computing. It is also being used to improve resource utilization and lower management cost.
Virtualization is a technique of abstracting physical resources and presenting a logical view of these resources to its end user. The physical resource could be a CPU, memory or an I/O device. By abstracting the physical resources and its boundaries, the virtualization techniques enable operating systems and applications to run independently of the actual physical hardware.
Virtualization allows aggregation, sharing and emulation of hardware resources. For example, a set of hard disks can be aggregated and presented as a single large virtual storage device. This virtual storage device may be later divided up on a different boundary to fit the applications. Virtualization facilitates sharing of physical resources. For example, a single I/O adapter may be shared by abstracting it to the multiple operating systems and applications as separate devices. Virtualization permits emulation of a hardware resource such that the applications may not know the difference between a physical piece of hardware and the emulated piece of virtual hardware. Pretty cool, eh?
I’ll talk about the VIOS and provide important tidbits in my next blog. Bye for now :-)[Read More]
aixdevblog 270001CDF4 1,301 Visits
This is a heads up on some new function we are working on for ‘Automatic Interim Fix Removal’. Basically, once an interim fix is enabled (it contains a mapping key) theninstallp will be able to map it to a PTF. When installp attempts to apply a PTF thathas the fix, it will automatically remove the interim fix and then apply the PTF.
Since this will be automatic function, we continue to recommend doing a 'Preview' install before applying any updates. The preview will tell you whether you haveall the required updates, requisites and what (if any) interim fixes will be removedor cannot be removed.
This is something that many customers have been asking for, ever since we introducedthe interim fix support via emgr.
I’ll update the blog and the best practices white paper when everything is official andwill tell you where it is and how to get it.
Until next time!
I'd like to welcome you to the AIX Developer's blog! My name is Christopher Chaltain, and I'm a manager in the AIX Development organization. I won't be blogging much myself, but rather, my role will be as a facilitator. I'll be working with different developers in the AIX organization who will be doing the hard work and actually providing the technical content. Right now we have several developers lined up to blog about WPARs, virtualization, system management and a few other topics. Initially you can expect things like hints and tips, how-tos, answers to frequently asked questions and pointers to other sources of information. Of course, through your comments you can influence what we blog about and what kind of information we provide. Now let me get out of their way so they can introduce themselves and start sharing some of their insights into the different AIX technologies and features.[Read More]