unixadmin.free.fr just another IBM blog

11avr/14

AIX OpenSSL Heartbleed Vulnerability CVE-2014-0160

Title: Security Bulletin: AIX is affected by a vulnerability in OpenSSL (CVE-2014-0160)

Summary: A security vulnerability has been discovered in OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-0160

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can affect the confidentially, but not integrity or availability.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
Affected Products and Versions
OpenSSL version 1.0.1.500 and above in the following AIX/VIOS releases:
AIX: 5.3, 6.1, 7.1 and VIOS 2.2.3.*

Remediation/Fixes

Product
AIX 5.3, 6.1, 7.1, VIOS 2.2.3.*
APAR
OpenSSL versions greater or equal to 1.0.1.500 N/a
Remediation / First Fix
ftp://aix.software.ibm.com/aix/efixes/security/openssl_ifix7.tar
(ifix: 0160_ifix.140409.epkg.Z)

This ifix disables the OpenSSL heartbeat option by compiling with
-DOPENSSL_NO_HEARTBEATS.

Note: AIX OpenSSL v0.9.8.xxxx and 12.9.8.xxxx are not vulnerable to this security vulnerability.

After applying the fix, additional instructions are needed for CVE-2014-0160

1) Replace your SSL Certificates.
You need to revoke existing SSL certificates and reissue new certificates. You need to be sure not to generate the new certificates using the old private key and create a new private key (ie using "openssl genrsa") and use that new private key to create the new certificate signing request (CSR).

2) Reset User Credentials
Users of network facing applications protected by a vulnerable version of OpenSSL should be forced to reset their passwords and should revoke any authentication or session related cookies set prior to the time OpenSSL was upgraded and force the user to re-authenticate.

Warning: Your environment may require additional fixes for other products, including non-IBM products. Please replace the SSL certificates and reset the user credentials after applying the necessary fixes to your environment.

Workarounds and Mitigations
None known

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc

Remplis sous: AIX Aucun commentaire
21oct/13Off

Debian Linux sur IBM POWER … easy :)

L'installation de Debian Linux 7.2 sur IBM POWER est déconcertant de facilité. Ci-dessous un exemple d'installation via une image ISO "Debian netinstaller" debian-7.2.0-powerpc-netinst sur Virtual I/O Server shared storage pool

Création du disque système debian1 d'une taille de 10Go et mapping vers le vhost8 sous le nom debian_sda

$ mkbdsp -clustername CL570 -sp SPA 10G -bd debian1 -vadapter vhost8 -tn debian_sda
Lu Name:debian1
Lu Udid:72cf212efed9a724585b307a92a83ce0

Assigning file "debian1" as a backing device.
VTD:debian_sda

$ lsmap -vadapter vhost8
SVSA            Physloc                                      Client Partition ID
--------------- -------------------------------------------- ------------------
vhost8          U9117.570.658502E-V2-C90                     0x00000000

VTD                   debian_sda
Status                Available
LUN                   0x8100000000000000
Backing device        debian1.72cf212efed9a724585b307a92a83ce0
Physloc
Mirrored              N/A

Création d'un repository pour stocker l'image ISO "debian-7.2.0-powerpc-netinst.iso"

$ mkrep -sp rootvg -size 10G
Virtual Media Repository Created
Repository created within "VMLibrary" logical volume

$ mkvopt -name debianISO -file /home/padmin/ISO/debian-7.2.0-powerpc-netinst.iso –ro

df -g /var/vio/VMLibrary
Filesystem    GB blocks      Free %Used    Iused %Iused Mounted on
/dev/VMLibrary     10.00      9.71    3%        5     1% /var/vio/VMLibrary

Création d'un DVD virtuel et chargement de l'image ISO

$ mkvdev -fbo -vadapter vhost8
vtopt0 Available

$ loadopt -vtd vtopt0 -disk debianISO

$ lsmap -vadapter vhost8
SVSA            Physloc                                      Client Partition ID
--------------- -------------------------------------------- ------------------
vhost8          U9117.570.658502E-V2-C90                     0x00000000

VTD                   debian_sda
Status                Available
LUN                   0x8100000000000000
Backing device        debian1.72cf212efed9a724585b307a92a83ce0
Physloc
Mirrored              N/A

VTD                   vtopt0
Status                Available
LUN                   0x8200000000000000
Backing device        /var/vio/VMLibrary/debianISO
Physloc
Mirrored              N/A

Boot su CD via le menu SMS

IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM                             IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM     STARTING SOFTWARE       IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM        PLEASE WAIT...       IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM                             IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM
IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM


Elapsed time since release of system processors: 15905 mins 2 secs

Config file read, 1337 bytes
Welcome to Debian GNU/Linux wheezy!

This is a Debian installation CDROM,
built on 20131012-15:01.


Enter one of the following options to begin:

install     64-bit processor (G5 or POWER3/4/5/6/7)
install32   32-bit processor (G4 or earlier)

.....
Welcome to yaboot version 1.3.16
Enter "help" to get some basic usage information
boot:install

Next ... Next ... Next ... Reboot (à ne pas faire sous Windows)

Bon, visiblement la bootlist est toujours sur le CD.
Donc, arrêt au menu SMS et paramétrer la bootlist manuellement vers le disque virtuel.

root@deb570:~# uname -a
Linux deb570 3.2.0-4-powerpc64 #1 SMP Debian 3.2.51-1 ppc64 GNU/Linux

Longue vie à tous les développeurs Debian PowerPC ;)

Taggé comme: Commentaires
7août/13

File Times in AIX

This technote discusses timestamps associated with files in filesystems on AIX.

In AIX each file has three different timestamps associated with it. These can be seen in the system include file /usr/include/sys/stat.h :

st_atime Time when file data was last accessed.
st_mtime Time when file data was last modified.
st_ctime Time when the file metadata was last changed.

All times recorded are in seconds since the Unix epoch. (Note for completeness there are also counters for these in nanoseconds)

Access Time (atime)
This is a timestamp recorded in the filesystem when the file was last opened for reading. The timestamp reflects when the open() on the file was performed, not necessarily when data was last read from it.

The access time can be viewed via ls using the -u flag.

Modification Time (mtime)
This denotes when the content of the file was most recently changed.

The modification time is what ls -l reports by default.

Change time (ctime)
This marks when a file's metadata was changed, such as permissions or ownership.

This time cannot be seen with the 'ls' command.

Other Notes
Some operating systems also include a "file creation" time, but AIX does not.

These times can be seen via commands such as 'ls' or 'find' with the appropriate arguments given to print out the value desired.

An easy way to view all three simultaneously is with the /usr/bin/istat command:

$ istat p.out
Inode 263 on device 10/8        File
Protection: rw-r--r--
Owner: 0(root)          Group: 0(system)
Link count:   1         Length 14682 bytes

Last updated:   Tue Sep 15 10:50:15 PDT 2009
Last modified:  Tue Sep 15 10:50:15 PDT 2009
Last accessed:  Tue Nov  3 12:01:12 PST 2009

So this file had its contents modified on Sep 15, and that is also the time the metadata for the file was changed. The file was read last on Nov 3.

Some utilities such as tar specifically modify a file's time values to record a different time than would normally be present. For example, the default behavior of tar when restoring a file is to create the file, then set the modification time back to what it was set to in the tar archive.

Mount Option to Not Update Access Time
For filesystems with a high rate of file access, performance can be improved by disabling the update of the access time stamp. This option can be added to a filesystem by using the "-o noatime" mount option, or permanently set using "chfs -a options=noatime".

SOURCE: 1012054

Remplis sous: AIX Aucun commentaire
6août/13

DSMSERV RESTORE DB FAILED

Environment:
TSM 6.3 - Windows 2008

1) make a copie of volhist.dat and check it content search impacted BACKUPFULL

**************************************************
 Operation Date/Time:   2013/07/06 18:57:10
 
 Volume Type:  BACKUPFULL
* Location for volume K:\BACKUP_TSMDB\75808230.DBV is: ''
 Volume Name:  "K:\BACKUP_TSMDB\75808230.DBV"
 Backup Series:     125
 Backup Op:       0
 Volume Seq:   10001
  Device Class Name:  SEC03
**************************************************

2) creates a hex dump of TSM DB BACKUP and check value of Backup Series :

@ 0000020 => (0000 7f00) = 0x7f = 127

The Backup Series in DB BACKUP is different than Volhist file.

# xxd 75808230.dbv | more
0000000: 0100 0000 2400 0000 4943 4944 0000 189c  ....$...ICID....
0000010: 0000 0024 0000 0100 07dd 0806 1239 0a00  ...$.........9..
0000020: 0000 7f00 0000 0000 0000 0101 0002 02ff  ................
0000030: ffff ffff ffff ff53 514c 5542 524d 4544  .......SQLUBRMED
0000040: 4845 4144 2000 0054 534d 4442 3100 0000  HEAD ..TSMDB1...
0000050: 3230 3133 3038 3036 3138 3537 3130 0000  20130806185710..
0000060: 0053 4552 5645 5231 0000 0001 0000 00f8  .SERVER1........
0000070: 0100 0000 0d54 534d 4442 3100 0000 0072  .....TSMDB1....r

Workaround:
Edit volhist file and replace Backup Series value with value checked in hex dump of TSM DB BACKUP.
DSMSERV RESTORE DB work fine.

Check TSM FIXPACK

Remplis sous: TSM Aucun commentaire
6août/13

NAS backup fails with ANR8758W on EMC DATADOMAIN

ANR1069E ANR8758W failure for NAS (NDMP) backup indicating there are insufficient mount points and the drives to not match the number of paths for the source node.
Symptom

NAS (NDMP) backup fails with:

ANR8758W The number of online drives in the VTL library NASLIB does not match the number of online drive paths for source NASNODE.
ANR1069E NAS Backup process 33 terminated - insufficient number of mount points available for removable media.

The problem was seen in an environment with a Unix server, Protectier VTL and Network Appliance (NetApp) NAS, but may also occur in other environments.
Resolving the problem

In this case, the error was resolved by changing the Library Type from VTL to SCSI.

Use the Tivoli Storage Manager command: UPDATE LIBR LIBTYPE=SCSI

Taggé comme: Aucun commentaire
5août/13

How is Tivoli Storage Manager applying versioning to NAS backups?

To backup NAS filer using NDMP protocol a Tivoli Storage Manager client NAS node needs to be defined to the Tivoli Storage Manager server. This Tivoli Storage Manager client node belongs to a policy domain as all other nodes.
Therefore Tivoli Storage Manager policies (like versioning) apply to Tivoli Storage Manager NAS backups, too.

Tivoli Storage Manager versioning applies to the complete NDMP dump only because the Tivoli Storage Manager server is not aware of the single objects included in the NDMP dump (except when reading the TOC).
To apply Tivoli Storage Manager versioning to single objects the single objects within the NDMP dump would need to have their own Tivoli Storage Manager server internal object ID assigned which is NOT the case.
In addition, if Tivoli Storage Manager versioning would apply to single objects within the NDMP dump something similar to aggregate compression had to be available to "delete" the invalid objects out of the NDMP dump which is NOT the case, too.

For a NAS filesystem, full and differential backups are grouped, with the full backup being the peer group leader.

If for example VEREXISTS = 4 and you do a full backup followed by 3 differentials then your Tivoli Storage Manager server database will have 4 versions of this backup image.
The next differential backup of the NAS filer will expire the full backup (but the Tivoli Storage Manager server is still keeping it internally, since it is needed to restore any of the differential images ).

The Tivoli Storage Manager server may store a full backup in excess of the number of versions you specified. When this happens, the full backup will stay in Tivoli Storage Manager database until all dependent backups have expired.

'QUERY NASBACKUP' will not show this extra version.

Use SQL 'SELECT' statements and/or 'SHOW VERSION' Tivoli Storage Manager server commands to see this extra version.

Use the following command to examine the dependency of full image and differential image backups:

'show version nodename filespace_name'

/vol/vol1 : /NAS/ IMAGE (MC: default)
Inactive, Inserted 05/25/05 11:14:57, Deactivated 1900-01-01 00:00:00.000000
ObjId: 0.138114, GroupMap 00050000, objType 0x0b
Attr Group Leader, GroupId: 0.138114
Delta Group Leader, GroupId: 0.138114

We see this version is deactivated already (Deactivated 1900-01-01 00:00:00.000000), it should have expired, but it stays in the Tivoli Storage Manager server database because it is a delta group leader (GroupId: 0.138114) and the following delta member (GroupId: 0.138114) has not yet expired:

/vol/vol1 : /NAS/ IMAGE (MC: Default)
Inactive, Inserted 07/20/05 20:41:28, Deactivated 07/27/05 22:15:21
ObjId: 0.179387, GroupMap 00040001, objType 0x0c
Delta Group Member, GroupId: 0.138114
Attr Group Leader, GroupId: 0.179387

In the example above, Delta Group Leader represents the full image backup and the Delta Group Member the differential image backup.

Important to understand:
Although the already expired full and differential NAS backups can be seen, it is not possible to do a point in time (PIT) restore from the date of an expired full or differential backup! It is only possible to do a PIT restore from full and differential NAS backups that have not yet expired.

SOURCE: 1200154

Taggé comme: Aucun commentaire
28juil/13

EMC VNX Snapview not supported with AIX MPIO

I found that some customers uses SnapView on CX or VNX Flare with AIX native MPIO driver on VIOS or AIX.

Already in 2008, EMC wrote a technical note specifying that software layered like Snapview was not supported with AIX MPIO.

Technote: 300-008-486_aix_native_mpio_clariion_1108

Today, this technote has disappeared but EMC support write a EMC primus "emc75601" specify that it is still not supported with VNX software layered.

Driver Example :

EMC.CLARiiON.aix.rte       5.3.0.8    C     F    EMC CLARiiON AIX Support
EMC.CLARiiON.fcp.MPIO.rte  5.3.0.8    C     F    EMC CLARiiON FCP MPIO Support
devices.common.IBM.mpio.rte 6.1.7.15    C     F    MPIO Disk Path Control Module

EMC primus case "emc75601"

VNX storage-system layered applications
EMC Layered software such as SnapView, MirrorView/Asynchronous, MirrorView/Synchronous,
EMC SAN Copy, etc., are not supported with hosts running AIX Native MPIO

So if it is imperative to use Snapview, then install EMC PowerPath.

22juil/13

Device Configuration Database Lock Service Timed Out Message

Every process that changes the ODM first locks the ODM to prevent other processes from making changes simultaneously. When you see this message displayed, it means another process has already obtained the lock.

Wait a few minutes and retry the process. If the system continually displays the message, Check what process is holding the lock.

To check, use the following command:

fuser -ux /etc/objrepos/config_lock

The system displays the process ID currently holding the lock. Verify the process holding the lock is not hung.

If the process holding the lock is hung, determine whether the process is required. If the process isn’t required, then send a signal to either try to awaken the process or kill the process.

Remplis sous: AIX Aucun commentaire
19juil/13

viosbr tool

Une petite commande utile pour restaurer un mapping en mauvais état sur un VIOS à partir des sauvegardes automatiques lancées par la cron de root.

0 0 * * * (/usr/ios/cli/ioscli viosbr -backup -file vios_config_bkup -frequency daily -numfiles  10 )
$ viosbr -backup -file /home/padmin/cfgbackups/my_vios_config_bkup
Backup of this node (vios_1) successful

$ viosbr -view -list
my_vios_config_bkup.tar.gz
vios_config_bkup.01.tar.gz
vios_config_bkup.02.tar.gz
vios_config_bkup.03.tar.gz
vios_config_bkup.04.tar.gz
vios_config_bkup.05.tar.gz
vios_config_bkup.06.tar.gz
vios_config_bkup.07.tar.gz
vios_config_bkup.08.tar.gz
vios_config_bkup.09.tar.gz
vios_config_bkup.10.tar.gz

$ ls -ltr /home/padmin/cfgbackups
total 280
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.07.tar.gz
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.06.tar.gz
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.05.tar.gz
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.04.tar.gz
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.03.tar.gz
-rw-r--r--    1 root     system         8383 May 22 00:00 vios_config_bkup.02.tar.gz
-rw-r--r--    1 root     system         8384 May 22 00:00 vios_config_bkup.01.tar.gz
-rw-r--r--    1 root     system         8475 Jul 17 00:00 vios_config_bkup.08.tar.gz
-rw-r--r--    1 root     system         8474 Jul 18 00:00 vios_config_bkup.09.tar.gz
-rw-r--r--    1 root     system         8166 Jul 19 00:00 vios_config_bkup.10.tar.gz
-rw-r--r--    1 root     staff          8170 Jul 19 14:27 my_vios_config_bkup.tar.gz

Pour restaurer la sauvegarde automatique vios_config_bkup.10.tar.gz

$ viosbr -restore –file /home/padmin/cfgbackups/vios_config_bkup.10.tar.gz

Source: man viosbr

15juil/13

IBM Power Facts and Features

IBM Power Systems, IBM PureFlex and Power Blades
June 2013

IBM Power Facts and Features

Taggé comme: Aucun commentaire