Hi there! Today I’d like talk a little bit about the latest technology in the virtualization area – NPIV. NPIV is an acronym for N Port ID Virtualization. N_Port ID Virtualization is a Fibre Channel (FC) industry standard technology that provides the capability to take a physical Fibre Channel Host Bus Adapter (HBA) port and assign it multiple unique world wide port names (WWPNs). The world wide port names can then be assigned to multiple initiators such as Operating Systems. Thus, NPIV allows physical N_Port to be logically partitioned into multiple logical ports/FC addresses so that a physical HBA can support multiple initiators, each with a unique N_Port ID.
Since NPIV provides a direct access to Fiber Channel adapters from multiple client partitions, it simplifies SAN management. Various SAN management tools and best practices can be applied. For example, LUN mapping/masking, fabric zoning and fabric based QoS and accounting can be employed. With NPIV, multiple client partitions can share a bunch of adapters, yet have independent access to their own storage devices. This results in the most efficient adapter utilization.
NPIV is now supported on selected POWER6 processor-based servers and is included as part of PowerVM Express, Standard, and Enterprise Edition. For more information, checkout the following website:https://www14.software.ibm.com/webapp/set2/sas/f/vios/documentation/home.html
AIX Developers will discuss the latest in AIX technologies.
aixdevblog 270001CDF4 Tags:  network kerberos nfs authentication ibm service 5 Comments 5,583 Visits
Hello Security Conscious Practitioners - or better should I say - Kerberos Loving People - they are synonyms - aren't they !
I am Sandeep R Patil working and interested with security , storage and related stuff & I plan to blog on some of the features with IBM NAS (Network Authentication Service and not Network attached storage :-) , in this context.
IBM released IBM Network Authentication Service Version 188.8.131.52 (IBM Kerberos - based on MIT Kerberos) in its latest AIX expansion pack and Web download (https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp) Thoughts its a minor release, but it has some good features bundled with it. Following are their titles as listed in the Readme. - TCP protocol support for KDC (AIX only) - "ticket_lifetime" configuration relation support in krb5.conf file - Post Run scripts for kinit and kdestroy commands - Support for encrypted LDAP bind password - Circular logging for IBM Network Authentication Service daemons - Recertification with IBM Tivoli Directory Server (ITDS) 6.1
In this blog I will like to elaborate on "Post Run scripts for kinit and kdestroy commands ". Many would have the following questions in mind:- What is this feature ?- Is it applicable to me ?- I already have wrapper scripts for Kerberos utilities like kinit/kdestroy Do I still need to worry ?
Well, basically this feature allows administrators to notify the successful execution of kinit and kdestroy commands to other dependent kerberized applications and take appropriate actions. Vague/ meaningless ? Lets dig little more into this:
I understand that administrators can have their own wrapper scripts which can do more or less what the feature does. But there are couple of exceptions. For example, there will be practitioners whose end users directly make use of the "kinit/kdestroy" programs and we still want to make sure that the post scripts are called (every customers may not have the wrappers). Moreover these scripts will be called only if "kinit" and "kdestroy" run successfully to completion. So if kdestroy fails for some reason , then its post script will not be called. This is very vital and will possibly be missing in custom made wrapper scripts ( as they would not know if kdestroy actually deleted the credential or failed for some valid reason ).
To further emphasize its necessity: Many Kerberos applications like NFS V4 or DB2 plug-in or custom made Kerberos applications read the Kerberos credential and load it into their memory. During these times if the credential is destroyed using "kdestroy" or renewed using "kinit" there is no means to notify such independent applications that they need to delete the respective credential in their memory (unless the kerberized application keeps polling). These scripts will help do this. Now if you are using Kerberized AIX NFS V4, you might be aware of nfsauthreset command. Today, the user has to explicitly execute the NFS V4's nfsauthreset command after execution of kinit/kdestroy. With this feature, once the administrator puts the nfsauthreset command in the kinit and kdestroy post scripts (Two new file called post_kinit_script.sh and post_kdestroy_script.sh created under /etc/krb5 directory) Kerberos credential notification will become seamless. I think this is a very necessary feature and if you are using Kerberized AIX NFS V4 - you are absolutely applicable :-) !
Reference:nfsauthreset Command - Notifies the Network File System (NFS) kernel extension to destroy the appropriate Generic Security Service API (GSSAPI) credentials from the kernel credentials cache.http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds4/nfsauthreset.htm
Feel free to pass in your comments !
Till next time,Chio - Sandeep
PS: Handy related linkshttp://www.ibm.com/developerworks/aix/library/au-nas_relatedtech/http://www.alphaworks.ibm.com/tech/nasgui/[Read More]
aixdevblog 270001CDF4 1,145 Visits
This is a heads up on some new function we are working on for ‘Automatic Interim Fix Removal’. Basically, once an interim fix is enabled (it contains a mapping key) theninstallp will be able to map it to a PTF. When installp attempts to apply a PTF thathas the fix, it will automatically remove the interim fix and then apply the PTF.
Since this will be automatic function, we continue to recommend doing a 'Preview' install before applying any updates. The preview will tell you whether you haveall the required updates, requisites and what (if any) interim fixes will be removedor cannot be removed.
This is something that many customers have been asking for, ever since we introducedthe interim fix support via emgr.
I’ll update the blog and the best practices white paper when everything is official andwill tell you where it is and how to get it.
Until next time!