Service Update Management Assistant (SUMA)

Edit online

A Service Update Management Assistant (SUMA) sets up an automated interface to download fixes from a fix distribution website to your systems. SUMA is configured periodically to check the availability of specific new fixes and Technology Levels (TLs). System administrators do not have to manually retrieve the maintenance updates from the web.

When you configure SUMA in an AIX® logical partition (LPAR) or in the Network Installation Management (NIM) master, SUMA establishes a connection to the fix distribution website and downloads the available service update. The fix distribution website is an IBM® server with the domain name esupport.ibm.com. If your configuration contains a firewall that blocks the connection to the fix distribution website, you must customize the firewall rules to allow SUMA to connect to the following IP addresses:

Table 1. IP address
Current IP address (IPv4 and IPv6)	New IP address (IPv4 and IPv6)	Updates
129.42.21.70 2607:f0d0:3901:33:129:42:21:70	192.148.6.11 2620:1f7:c010:1:1:1:1:11	The current IP is disabled and the new IP is enabled from 1 March 2024, 9 AM Eastern Time (ET).
129.42.56.189 2620:0:6c4:200:129:42:56:189	N/A	This IP address is no longer supported from 1 March 2024, 9 AM Eastern Time (ET).
129.42.60.189 2620:0:6c4:200:129:42:60:189	N/A	This IP address is no longer supported from 1 March 2024, 9 AM Eastern Time (ET).

SUMA connects to one of the IP addresses listed in Table 1 based on your geography.

Notes:

IP addresses for the esupport.ibm.com server are changed from the 2023 version of the esupport.ibm.com server.
Add firewall rules to new IP addresses. Do not change or remove the existing firewall rules.
The port website be the fix distribution either 80 for HTTP or 443 for HTTPS.

The SUMA connection diagram shows how SUMA connects to the fix distribution website through the internet.

SUMA connect diagram — Figure 1. SUMA connection diagram

You can access the SUMA configuration by using the suma command or by using the SMIT suma fast path. When you create a SUMA policy, you must specify a request type that specifies the type of download.

The following request types are the valid values to create a SUMA policy:

PTF: Specifies a request to download a program temporary fix (PTF) such as U813941. You can download only certain PTFs as an individual fileset. This limitation applies to PTFs that contain either the bos.rte.install fileset or bos.alt_disk_install.rte fileset and the PTFs that are released in between Service Packs (SPs). Otherwise, you must download the TL or SP.
TL: Specifies a request to download a specific TL, such as 7200-02.
SP: Specifies a request to download a specific SP, such as 7200-02-00.
Latest: Specifies a request to download the latest fixes. This value returns the latest SP or the TL as specified in the FilterML attribute.

Configuring SUMA to use the proxy settings

Prerequisites

Before you run the suma command to download any updates, ensure that you have the country code set in the suma configuration file or as environment variable. To set the country code, enter the following command:

#echo “COUNTRY_CODE = country_code” >> /var/suma/data/config.suma

#export SUMA_COUNTRY_CODE=country_code

where country_code is the country code of your system location based on the following table:

Table 2. Country codes
System location	Country	Country code
Sao Paulo	Brazil	BR
Washington and Dallas	USA	US
Toronto and Montreal	Canada	CA
London	UK	GB
Frankfurt	Germany	DE
Madrid	Spain	ES
Sydney	Australia	AU
Tokyo and Osaka	Japan	JP

Ensure that the AIX LPAR is authenticated to access the internet. To verify that the LPAR is connected to the internet, enter the following command:
```
suma -x -a Action=Preview -a RqType=Latest
```
You can only preview the download operation by using the suma command. When you run this command, files are not downloaded. If the LPAR is not authenticated to access the internet, the command returns the following message:
```
0500-013 Failed to retrieve list from fix server.
```
Contact your administrator or determine the steps necessary to allow your system to access the internet.

Procedure

Configure SUMA to use the proxy settings by performing the following steps:

AIX 7.3 TL3 and earlier

Enter the following command to ensure that the bos.ecc_client.rte fileset is installed on the AIX LPAR:
```
lslpp -h bos.ecc_client.rte
```
Figure 2. Checking the bpos.ecc_client.rte fileset
Enter the following command to ensure that the config_conn_path command is available in the bos.ecc_client.rte fileset:
```
lslpp -w /usr/ecc/bin/config_conn_path
```
Figure 3. config_conn_path command
Configure your proxy settings by peforming the following steps:
1. Run the smit srv_conn command.
2. Select Create/Change Service Configuration and press Enter.
3. Select Create/Change Primary Service Configuration and press Enter.
4. Set the following fields in the SMIT interface:
  Figure 4. Configuring proxy settings
  
  Where, xx.xx.xx.xx is the IP address of the proxy and 5026 is the port number that is used to connect to the proxy settings. When you press Enter, a test connection determines whether the AIX LPAR is authenticated to access the internet by using the proxy settings. The common values for proxy port number are 3138 or 8080.
5. Run the smit suma_config_base command to access the SUMA base configuration SMIT interface. Verify the fields that are shown in the Base Configuration image.
  Figure 5. Base Configuration SMIT

Note: For the Fixserver protocol field, https is the only option. For the Download protocol field, http is the default option. You can change the default option to https for a secure connection. If you set the Download protocol to https, the downloads are slower but more secure as http provides multi-threaded performance and https provides single-threaded performance.

AIX 7.3 TL4

Enter the following command to configure the primary proxy server settings:
```
suma -c -a PROXY_CONNECT=yes

suma -c -a PROXY_ADDRESS_1=1.1.1.1
Enter proxy port number (or enter '.' to skip):
-> 1234

suma -c -a PROXY_USERID_1=proxyusr

NOTE: If you want to skip entering proxy password below, enter '.'. Otherwise, press 'ENTER':
->

Enter proxy password:
->
Confirm password:
-> 
```
where 1.1.1.1 is the IP address of the primary server, 1234 is the port number of the primary server, and proxyusr is the username of the primary server.
Note: The password that you enter is not displayed on the screen for security reasons.
Enter the following command to set up or update the proxy server port number and password separately:
```
# suma -c -a PROXY_PORT_1=5678

# suma -c -a PROXY_PASSWORD_1=

Enter proxy password:
->
Confirm password:
->
```
where 5678 is the port number of the primary server.

Enter the following command to verify your settings:

suma -c

An output similar to the following sample screen is displayed:

DL_RETRY=1
        PROXY_CONNECT=no
        PROXY_ADDRESS_1=1.1.1.1
        PROXY_PORT_1=1234
        PROXY_USERID_1=proxyusr
        PROXY_PASSWORD_1=*****
        PROXY_PRIORITY_1=1
        PROXY_ADDRESS_2=
        PROXY_PORT_2=
        PROXY_USERID_2=
        PROXY_PASSWORD_2=
        PROXY_PRIORITY_2=2
        PROXY_ADDRESS_3=
        PROXY_PORT_3=
        PROXY_USERID_3=
        PROXY_PASSWORD_3=
        PROXY_PRIORITY_3=3
        DIRECT_LAN_CONNECT=yes
        DIRECT_LAN_PRIORITY=0
        USE_FIPS_PROVIDER=no
        EFD_TARGET_SPACE=prod
        USE_CC_CIPHERS=no
        SCREEN_VERBOSE=LVL_INFO
        NOTIFY_VERBOSE=LVL_INFO
        LOGFILE_VERBOSE=LVL_VERBOSE
        SUMA_CHCC_LOG=NONE
        MAXLOGSIZE_MB=1
        REMOVE_CONFLICTING_UPDATES=yes
        REMOVE_DUP_BASE_LEVELS=yes
        REMOVE_SUPERSEDE=yes
        TMPDIR=/var/suma/tmp
        WEB_IDENTITY_FILE=

where 1.1.1.1 is the IP address of the primary server, 1234 is the port number of the primary server, and proxyusr is the username of the primary server.

Notes:

Asterisks (*****) next to the proxy server password field indicate that the password is set with SUMA. The value of the asterisks is masked for security reasons.
You can follow the output of step 3 to configure the secondary and tertiary proxy server details, where PROXY_*_2 is for the secondary proxy server and PROXY_*_3 is for the tertiary proxy server.
Disable the direct LAN service by setting the DIRECT_LAN_CONNECT to no if you want the suma command to use the proxy server service only.
```
suma -c -a DIRECT_LAN_CONNECT=no
```

You can use the SMIT interface of the suma command to configure the proxy server.

Configure the proxy server settings by performing the following steps:
1. Run the smit suma command.
2. Select Create/Change Service Configuration and press Enter.
3. Select Enable/Disable Service Configuration and press Enter.
4. Set the Allow Proxy Server connectivity? field in the SMIT interface to Yes.
5. Set the Allow Direct LAN connectivity? field in the SMIT interface to No to power off direct LAN service connectivity.
  Figure 6. Setting Allow Direct LAN connectivity? field value
6. Press the F3 key to return to the Create/Change Service Configuration screen.
7. Select Create/Change Primary Service Configuration and press Enter.
8. Set the IP address, Port number, Authentication user ID, Authentication password requested interactively, and the Service Priority fields in the SMIT interface.
  Figure 7. Create/Change Primary Service Configuration screen
Change the sequence of the proxy configuration by using one of the configuration parameters such as Service Priority by performing the following steps:
1. Modify the Service Priority field of the corresponding service to change the priority of a Direct LAN service or a proxy service by using the SMIT interface.
  Enter the following command to change the priority of a particular proxy server X service through the command line:
```
suma -c -a PROXY_PRIORITY_X=<priority value>
```
  Enter the following command to change the priority of a Direct LAN service through the command line:
```
suma -c -a DIRECT_LAN_PRIORITY=<priority value>
```
  Note: By default, the Direct LAN connectivity has the highest priority (1). The primary, secondary, and tertiary proxy servers have the priorities 2, 3, and 4 respectively.
2. Set the proxy server to priority 1 if you want the suma command to use a particular proxy server.
  For example, if you want the suma command operation to use a secondary proxy server, set the priority of the secondary proxy server to 1 and reduce the priorities of other services by modifying the service priority value to any number greater than 1.
  Note: The priority value ranges from 1 (highest priority) to 4 (lowest priority).
3. If the suma command cannot connect by using the highest priority service such as direct LAN and proxy server, it tries to connect with the other services when configured and enabled. If none of the other services work, the suma command exits and returns the following error message.
```
0500-013 Failed to retrieve list from fix server
```
Note: The proxy server configuration options are arranged in a sequential priority and are designated as primary, secondary, and tertiary configuration options. When you add a proxy server details, you must start with the primary option. If there are multiple proxy servers, configure the secondary option, and then configure the tertiary option if necessary.

Creating and managing a SUMA task by using the SMIT interface

Complete the following steps to create and save a SUMA task by using the SMIT interface:

Run the smit suma command.
Select Custom/Automated Downloads (Advanced) and press Enter.
Select Create a New SUMA Task and press Enter.
Select an option to determine whether you want to save, run, or schedule a SUMA task and press Enter.
Figure 8. Creating and managing a SUMA task
Set the following fields in the SMIT interface and press Enter.
Figure 9. The SMIT interface

SUMA tasks and the command line

The suma command is used to perform the following operations on a SUMA task or policy:

Create
Edit
List
Schedule
Unschedule
Delete

An RqType parameter specifies the type of download that is requested, such as a TL, SP, or latest.

Examples

To create and save a SUMA task by using the command line, run the following command:
```
suma -w -a DisplayName=‘ AIX72TL2SP2‘ -a FilterML=‘7200-00‘
```
The command returns a task ID after the successful creation of a SUMA task:
```
Task ID 10 created.
```
To create and schedule a task that downloads the latest fixes and adds a policy label through the DisplayName field (useful when you are listing policies through SMIT), run the following command:
```
suma -s "30 2 15 * *" -a RqType=Latest   \
    -a DisplayName="Latest fixes - 15th Monthly"
```
In this example, a task is scheduled to run on the 15th day of every month at 2:30 AM by using the cron format.
To create and schedule a task that downloads the entire 7200-03 Technology Level into the /lppsrc/7203 directory on a specific day and time, run the following command:
```
suma -s "0 23 * * 1" -a Action=Clean -a RqType=ML \
-a RqName=6100-03 -a DLTarget=/lppsrc/6103   \
-a FilterSysFile=/dev/null
```
This command duplicates base levels and conflicting updates. The lppmgr command runs a clean operation after the download to remove superseded updates.
Note: Before you run a task that specifies Action=Clean, you can run the suma -c command to verify the SUMA global configuration settings that are used when you run the lppmgr command. The setting REMOVE_SUPERSEDE, REMOVE_DUP_BASE_LEVELS, and REMOVE_CONFLICTING_UPDATES fields must be set to yes to run the clean operation.

Troubleshooting SUMA error messages

Ensure that you are entitled to download the SUMA maintenance updates. If you are not entitled to download the SUMA maintenance updates, check with your administrator and licensing team for assistance. Without entitlement, you encounter the following error message:

Error: Entitlement is required to download. The system's serial number is not entitled.

For other SUMA error messages, check your system log files for the timestamp of the operation, the IP address, and the port numbers of the fix distribution server. The following example shows a SUMA error message that you might encounter if your system is misconfigured:

# /usr/sbin/suma -x -a Action=Metadata -a RqType=Latest -a FilterML=7100-02 -a DLTarget=/export/eznim/SUMA
0500-013 Failed to retrieve list from fix server.

Consider the following troubleshooting steps to begin troubleshooting SUMA error messages:

Ensure that the firewall connection of the client is authenticated by establishing the telnet connection to the fix distribution center.
```
telnet www.ibm.com 443
telnet www.ibm.com 80
```
Enter the following command to verify the connection:
```
# /usr/esa/bin/verifyConnectivity -t
```
Enter the following command to verify that the Electronic Customer Care (ECC) services are installed:
```
# /usr/ecc/bin/config_conn_path -c 'PRIMARY' -t 'YES'
```
Check the SUMA log files at the following locations:
- /var/adm/ras/suma.log
- /var/adm/ras/suma_dl.log
- /var/suma/log/eccTrace0.0.log
- /var/esa/log
- /var/ecc/data/log/eccTrace0.0.log
- /var/suma/data/suma_get_fixes.log
  Note: The SUMA log files at this location are available from AIX 7.3 Technology level 2.

Enter the following command to edit the SUMA configuration to generate the verbose log files:

suma -c -a SUMA_CHCC_LOG=BOTH

suma -c -a SCREEN_VERBOSE=LVL_DEBUG \
-a LOGFILE_VERBOSE=LVL_DEBUG \
-a NOTIFY_VERBOSE=LVL_DEBUG

Edit the configuration and rerun the SUMA task by performing the following steps:
1. Navigate to the /var/suma/data/eccBase.properties properties file and set TRACE_LEVEL=info.
2. Delete the log files in the /var/suma/log directory.
3. Backup and delete the log file /var/suma/data/suma_get_fixes.log.
4. Enter the following command to rerun the SUMA task:
```
/usr/sbin/suma -x -a Action=Metadata -a RqType=Latest -a FilterML=7100-02 \
         -a DLTarget=/export/eznim/SUMA/7100-02/metadata
```
5. Verify whether the information in the log file is correct.