IBM Support

Downloading and Installing or Upgrading OpenSSL and OpenSSH

Question & Answer


Question

How do I download, install, or upgrade OpenSSL and OpenSSH on AIX?

Answer

The following provides guidance on where to download and how to install or upgrade to the latest openssl and openssh.
 
1) Download the latest available "OpenSSL and/or OpenSSH n.n.n" for your AIX version  from the following download link:  
(You will need to register at the site if you do not have an account.)
The following example is the latest version at the time of  publishing. Always check the download site, and corresponding README files for information pertaining to your AIX oslevel.
openssl
    • (34779877)
openssh
  • VRMF: 7.5.102.1801
    • OpenSSH_7.5.102.1801.tar.Z  (11765639)
***NOTE: OpenSSL must be installed first.
2) Create directory to hold openssl and openssh.
Example:
% mkdir /tmp/newopenssl
% mkdir /tmp/newopenssh
Transfer the openssl compressed tar file to the /tmp/newopenssl directory.
Transfer the openssh compressed tar file to the /tmp/newopenssh directory

3) Before upgrading SSH and or AIX make a backup of the /etc/ssh directory if it exists. Skip steps 3 and 9-10 if you don't have ssh installed.
Important Notes
A) If you have an existing ssh configuration please make a copy of the /etc/ssh directory before installing the new ssh to preserve the ssh host keys. If this is a new installation of ssh there will not be an /etc/ssh directory.

  % cp -pr /etc/ssh /etc/ssh_backup
B) Please see the following technote for details about changes in OpenSSH Version 7. 

4) Prepare the openssl software for installation.
% cd /tmp/newopenssl
% uncompress  
% tar -xvf
% cd <newly created openssl directory if one was created>
5) Install the openssl software
% smitty install_all INPUT device / directory for software [.]
<enter> * INPUT device / directory for software . * SOFTWARE to install []
<....>
Select F4 or esc+4 to list the openssl software.
Select with F7: openssl.base openssl.license openssl.man.en_US
<enter> ACCEPT new license agreements? yes
<enter>
6) Prepare the openssh software for installation
% cd /tmp/newopenssh
% uncompress OpenSSH_7.5.102.1801.tar.Z
% tar -xvf OpenSSH_7.5.102.1801.tar
7) Install the openssh software
% cd <newly created openssh directory if one was created>
% smitty install_all INPUT device / directory for software [.]
<enter>
* INPUT device / directory for software .
* SOFTWARE to install []
<....>
Select F4 or esc+4 to list the openssl software.
Select with F7: openssh.base openssh.license openssh.man.en_US openssh.msg.EN_US openssh.msg.en_US
<enter> ACCEPT new license agreements? yes
<enter>
8) If the installation was successful, sshd should now be active.
% lssrc -g sshd
This should result in an "active" status, indicating it is ready to accept ssh connections

NOTE: SSHD is called from /etc/rc.d/rc2.d/Ssshd script at boot up. The Ssshd script is called from from the l2 entry in /etc/inittab
 --> l2:2:wait:/etc/rc.d/rc2.d
9) Since many Open Source packages rely on OpenSSL, it recommended to runthe following command, which will update your virtual AIX-rpm package so the rpm installer will be aware of the new or updated libraries:
% /usr/sbin/updtvpkg

*** Skip steps 10 and 11 if this is a new SSH installation.
10) Restore and/or update ssh host keys and config files
% cd /etc/ssh
Backup the newly installed ssh_config and sshd_config files.
% cp -p ssh_config ssh_config.orig_<today's_date>
% cp -p sshd_config sshd_config.orig_<today's_date>
Restore the /etc/ssh_backup host keys directory
% cd /etc/ssh_backup
% cp -pr cp ssh_host_*_key*  /etc/ssh
Update (or restore previous) sshd_config and ssh_config files
**It is recommended that you use the newly installed ssh_config and sshd_config files and and if there were any customization done to the old files you should manually add those changes to the new files. 
Alternatively (not recommended), you can restore the previous config files:
% cd /etc/ssh_backup
% cp -pr sshd_config ssh_config /etc/ssh
11) Stop and restart sshd to read updated config files.
To stop sshd from the command line:
% stopsrc -s sshd
To start sshd from the command line:
% startsrc -s sshd
% lssrc -g sshd
This should result in an "active" status, indicating it is ready to accept ssh connections.
SUPPORT

If additional assistance is required after completing all of the instructions provided in this document, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

1.  Document (or collect screen captures) of all symptoms, errors, and messages that might have occurred.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, visit the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear,  concise description of the issue.

5.  If possible, collect a system snap and upload all of the details and data for your case.

To collect a complete snap of your system information:

5.1) Remove previously gathered data

   # snap -r 

5.2) Copy related files from #1 and #2 to the snap data directory

   # mkdir -p /tmp/ibmsupt/testcase
   # cp <logs, screenshots, etc> /tmp/ibmsupt/testcase

5.3) Run the snap command with one of the following options to collect all info.

     * If you have already engaged with a support engineer, use the flags specified by your support team.
     a) General Issues
            # snap -aZc
     b) VIOS  
            Login to VIO server, as padmin
            # snap        
     c) PowerHA
            #snap -e
 

5.4) Rename the testcase to include your case number to ensure it is properly attached to your case

  # mv /tmp/ibmsupt/snap.pax.Z /tmp/ibmsupt/yourcase#[.optional_description].snap.pax.Z

5.5) Upload the file by one of the following options (a, b, or c)

     a) Attach to your case 
     https://www.ibm.com/mysupport/s/my-cases

     b) Upload to the Enhanced Customer Data Repository(ECuRep) 
     https://www.secure.ecurep.ibm.com/app/upload_sf

     c) Upload to the Blue Diamond FTP server (Blue Diamond Customers Only)
     https://msciportal.im-ies.ibm.com

* Note: For information about blue diamond upload see:

     http://www.ibm.com/support/docview.wss?uid=nas8N1020947

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU009","label":"Systems - Server"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Not Applicable","Edition":""}]

Document Information

Modified date:
22 November 2019

UID

isg3T1027135