unixadmin.free.fr

18avr/13

IBM POWER 7 / BULL references

Bull Escala E1-700 / E3-700 (31E/2B ,8231-E2B)
Bull Escala E1-705 (31E/1C, 8231-E1C)
Bull Escala E1-715 (31E/1D, 8231-E1D)
Bull Escala E3-705 (31E/2C, 8231-E2C)
Bull Escala E3-715 (31E/2D, 8231-E2D)
Bull Escala E2-700 / E2-700T (02E/4B, 8202-E4B)
Bull Escala E2-705 / E2-705T (02E/4C, 8202-E4C)
Bull Escala E2-715 / E2-715T (02E/4D, 8202-E4D)
Bull Escala E4-700 / E4-700T (05F/6B, 8205-E6B)
Bull Escala E4-705 (05E/6C, 8205-E6C)
Bull Escala E4-715 (05E/6D, 8205-E6D)
Bull Escala E5-700 (33E/8B, 8233-E8B)
Bull Escala E5-715 (08E/8D, 8408-E8D)
Bull Escala M5-715 (09R/MD, 9109-RMD)
Bull Escala M6-700 (17M/MB, 9117-MMB)
Bull Escala M6-705 (17M/MC, 9117-MMC)
Bull Escala M6-715 (17M/MD, 9117-MMD)
Bull Escala M7-700 (79M/HB, 9179-MHB)
Bull Escala M7-705 (79M/HC, 9179-MHC)
Bull Escala M7-715 (79M/HD, 9179-MHD)
Bull Escala H9-700 (19F/HB, 9119-FHB)

SOURCE: BULL Support

Remplis sous: BULL SYSTEM Aucun commentaire

15fév/13

Simple AIX ipv4 filtering configuration – memo

In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets

Prerequisites

To start firewall in AIX you need few packages to be installed:

- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib

Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.

- check IP host resolution

# host server
server is 10.0.0.1

# host client
client is 10.0.0.2

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script

#!/usr/bin/ksh

# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

# DENY ALL
mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44

Source:

http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html

http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146

Taggé comme: IPSec Aucun commentaire

12fév/13

AIX “From Strength to Strength”

IBM AIX “From Strength to Strength”
A summary of upgrade benefits for each release of AIX
February, 2013 Edition

Download

Remplis sous: AIX Aucun commentaire

24jan/13

How to debug environnement problem with padmin user on Virtual I/O Server

What is interesting is the HMC command syntax with viosvrcmd and oem_setup_env, example:

unable run oem_setup_env

$ oem_setup_env
rksh: oem_setup_env: not found

debug via HMC

hmcV7:~ # viosvrcmd -m 9119-FHB -p VIOS1 -c "oem_setup_env
> ls -ld /home/padmin"
drwxr-x--- 9 root system 4096 Jan 24 11:13 /home/padmin

hmcV7:~ # viosvrcmd -m 9119-FHB -p VIOS1 -c "oem_setup_env
> chown padmin:staff /home/padmin"

login again with padmin

$ oem_setup_env
#

NOTE: hit return after the "oem_setup_env without ending the quotes. That will put you to the next line to run your command as root on the vios then end your quote.

Thank's Jonathan

Remplis sous: HMC, VIRTUAL I/O SERVER Aucun commentaire

20nov/12

Replace the physical adapter of the SEA

How can I replace the physical adapter of my SEA ?

Virtual I/O Server Version: 1.5.2.x-FP11.x, 2.1.0.x-FP20.x, 2.1.1.x-FP21.x, 2.1.2.x-FP22.x

Customer needs to replace the physical ethernet adapter of the SEA that is a NIC (Network Interface Card) with the same or different feature code from the original NIC but the same device driver.

NIC is in slot 5. Customer wants to replace the NIC with a different F/C but they use the same driver.
NOTE: This may not work if the replacement NIC uses a different device driver. You may need to remove the SEA and recreate it with the new NIC and new device driver.

1. Determine which ethernet device is the SEA:

$ lsdev -type adapter
ent8 Available Shared Ethernet Adapter

2. Make sure the SEA is in BACKUP state:

$ oem_setup_env
# entstat -d ent8 |grep State ---> must be in BACKUP

If State is PRIMARY, you must force failover to BACKUP state:

# chdev -l ent8 -a ha_mode=standby

3. Determine which is the real or physical adapter of the SEA:

# entstat -d ent8 |grep Real
Real Side Statistics:
Real Adapter: ent0

4. Determine the physical location code of the NIC:

# lscfg -vl ent0
ent0 U787B.001.DNW3CA2-P1-C1-T1 10/100/1000 Mbps Ethernet PCI-X Adapter II (1410ff01) b. C1 = slot 1

5. Determine which interface has IP address configured:

# netstat -in
Customer has IP address on SEA interface en8.
If no IP addresses are assigned to the SEA interface en8, skip steps 7 and 8.

6. Determine if SEA interface is using the default gateway:

# netstat -rn.

7. If IP address is assigned to the SEA interface, bring the interface down:

# ifconfig en8 down detach

8. Temporarily put the interface in a defined state:

# rmdev -l en8

9. Temporarily put the SEA device in a defined state:

# rmdev -l ent8 ---> SEA defined

10. Remove the real or physical ethernet device of the SEA;

# rmdev -dl ent0 ---> real adapter for ent8

11. Use hot plug manager to replace the adapter.

12. Run configuration manager:

# cfgmgr

13. Check that the new real or physical adapter is available:

# lsdev -Cc adapter

14. Make the SEA available:

# mkdev -l ent8

15. Check that SEA is available:

# lsdev -Cc adapter

16. Make the en interface available:

# mkdev -l en8 (or ifconfig en8 up)

17. Check that default gateway is assigned to the previously assigned interface (step 5):

# netstat -rn

If no default gateway:

# mkdev -l inet0

18. Check that en8 (or interface in step 5) can ping default gateway:

# ping <IP of default gateway>

19. Failover back to PRIMARY:

# chdev -l ent8 -a ha_mode=auto

SOURCE: Technote T1011065

Remplis sous: VIRTUAL I/O SERVER Aucun commentaire

16nov/12

VIOS SEA Failover flapping on backup SEA

Why is the backup SEA adapter of my SEA failover flapping from Primary to Backup repeatedly?

Software version: Virtual I/O Server
2.1.0.x-FP20.x, 2.1.1.x-FP21.x, 2.1.2.x-FP22.x, 2.1.2.12, 2.1.2.13, 2.1.3.10, 2.2.0, 2.2.0.10, 2.2.0.11, 2.2.0.12, 2.2.0.13, 2.2.1.0, 2.2.1.1, 2.2.1.3

The Shared Ethernet Adapter (SEA) failover hung or became unresponsive. The backup SEA adapter was flapping between Primary and Backup states which is seen as contention on the control channel between primary ( 1) and backup (2) of SEAs.

This issue can be caused by 2 different problems:

1) The backup SEA sends a pulse to the primary SEA to see if it is still alive. The primary VIO is not able to send heart beats to backup SEA fast enough due to a lack of available CPU cycles. The backup SEA with trunk priority 2 tries to become primary before it receives the reply and logs these SEAHA_PRIMARY, SEAHA_BACKUP errors. This can sometimes be resolved by changing the VIO CPUs from shared to dedicated.

Another resolution is to update the VIO servers to at least 2.2.0.12 FP24 SP02 to get the SEA fixes for this issue.

2) CPU folding enabled on VIO servers can cause SEA flapping and in turn will cause the VIO SEA to hang.

Processor folding: Processor folding currently is not supported for VIOS partitions. If processor folding is enabled on your VIOS, and migration media is used to move from VIOS 1.5 to 2.1.0.13 FP 23, or later, processor folding remains enabled. Upgrading via migration media does not change the processor folding state. If you have installed VIOS 2.1.3.0, or later, and have not changed the folding policy, then folding is disabled.

Check for CPU folding on VIOS:

$ oem_setup_env
# schedo -o vpm_fold_policy

If the value is anything other than 4, turn it off with this command:

# schedo -p -o vpm_fold_policy=4

The current value can also found in the ./kernel/kernel.snap file in the VIO snap.

Link: A explanation of AIX Virtual processor folding

AIX Virtual Processor Folding is Misunderstood

Remplis sous: PERFORMANCE, VIRTUAL I/O SERVER Aucun commentaire

23oct/12

ANR9999D_0521343731 and Could not determine media type , rc = 1

Problem

When the data is being backed up to a Tape Library/Drive, the following error is received during a write operation:
ANR9999D_0521343731 NtpOpen(pvrntp.c:1296) Thread<36>: Could not determine media type, rc = 1

Symptom

The label and checkin functions of the TSM Server work fine without any issues.

Cause

Wrong Drivers for the Library / Drives. Microsoft drivers were installed for the IBM LTO Drive.

Resolving the problem

Please verify that you are using the correct drivers for the device

Remplis sous: TSM Aucun commentaire

5oct/12

Graver un DVD-RAM sur DEBIAN LINUX

Installer dvd+rw-tools

root@GSE:~# apt-get install dvd+rw-tools

Lister le type de DVD ainsi que son fichier spécial

root@GSE:~# egrep '(CD|DVD)' /var/log/dmesg
[ 1.572312] ata2.00: ATAPI: HL-DT-ST DVDRAM GSA-4082B, A206, max UDMA/66
[ 1.681985] scsi 1:0:0:0: CD-ROM HL-DT-ST DVDRAM GSA-4082B A206 PQ: 0 ANSI: 5
[ 1.740407] Uniform CD-ROM driver Revision: 3.20
[ 1.740525] sr 1:0:0:0: Attached scsi CD-ROM sr0

root@GSE:~# grep sr0 /var/log/dmesg
[ 1.740401] sr0: scsi3-mmc drive: 32x/32x writer dvd-ram cd/rw xa/form2 cdda tray
[ 1.740525] sr 1:0:0:0: Attached scsi CD-ROM sr0

Formater un DVD-RW et DVD-RAM

root@GSE:~# dvd+rw-format /dev/sr0
* BD/DVD±RW/-RAM format utility by <appro@fy.chalmers.se>, version 7.1.
* 4.6GB DVD-RAM media detected.
- media is already formatted, lead-out is currently at
4473408 KiB which is 100.0% of total capacity.
- you have the option to re-run dvd+rw-format with:
-format=full to perform full (lengthy) reformat;
-ssa[=none|default|max]
to grow, eliminate, reset to default or
maximize Supplementary Spare Area.

root@GSE:~# dvd+rw-format -format=full /dev/sr0
* BD/DVDÂ±RW/-RAM format utility by <appro@fy.chalmers.se>, version 7.1.
* 4.6GB DVD-RAM media detected.
* formatting 74% ....

Informations

root@GSE:~# dvd+rw-mediainfo /dev/sr0
INQUIRY: [HL-DT-ST][DVDRAM GSA-4082B][A206]
GET [CURRENT] CONFIGURATION:
Mounted Media: 12h, DVD-RAM
Current Write Speed: 3.0x1385=4155KB/s
Write Speed #0: 3.0x1385=4155KB/s
GET [CURRENT] PERFORMANCE:
Write Performance: 3.0x1385=4155KB/s@[0 -> 2236703]
Speed Descriptor#0: 02/2236703 R@3.0x1385=4155KB/s W@3.0x1385=4155KB/s
READ DVD STRUCTURE[#0h]:
Media Book Type: 00h, DVD-ROM book [revision 0]
Legacy lead-out at: 2314080*2KB=4739235840
DVD-RAM SPARE AREA INFORMATION:
Primary SA: 12800/12800=100.0% free
Supplementary SA: 58368/58368=100.0% free
DVD-RAM WRITE PROTECTION STATUS:
Persistent Write Protection is off
READ DISC INFORMATION:
Disc status: other
Number of Sessions: 1
State of Last Session: complete
"Next" Track: 1
Number of Tracks: 1
READ FORMAT CAPACITIES:
formatted: 2236704*2048=4580769792
00h(800): 2236704*2048=4580769792
00h(800): 2295072*2048=4700307456
01h(800): 2226976*2048=4560846848
01h(800): 2217248*2048=4540923904
FABRICATED TOC:
Track#1 : 14@0
Track#AA : 14@2236704
Multi-session Info: #1@0
READ CAPACITY: 2236704*2048=4580769792

Protection

root@GSE:~# dvd-ram-control -rdonly /dev/sr0
Persistent Write Protection is on

root@GSE:~# dvd-ram-control -rdwr /dev/sr0
Persistent Write Protection is off

Graver le contenu d'un répertoire

root@GSE:/# growisofs -Z /dev/sr0 -R -J /tmp/dir1

Ajouter au DVD le contenu d'un autre répertoire

root@GSE:/# growisofs -M /dev/sr0 -R -J /tmp/dir2

Graver une image ISO

root@GSE:~# growisofs -Z /dev/sr0=stresslinux_64bit_11.4.x86_64-0.7.106.iso

Remplis sous: LINUX Aucun commentaire

13sept/12

ibmonitor: interactive bandwidth monitoring tool for Linux

ibmonitor is an interactive linux console application which shows bandwidth consumed and total data transferred on all interfaces.

http://ibmonitor.sourceforge.net/

Interface Received Sent Total
Kbps Kbps Kbps

eth0 1148.40 54288.64 55436.96

eth1 1.04 0.00 1.04

lo 2.48 2.48 4.96

All 1151.92 54291.12 55442.96

Press 'q' to quit... Elapsed time: 0 hrs, 2 mins, 16 s

Remplis sous: LINUX Aucun commentaire

11sept/12

ANR2969E Database restore terminated. DB2 sqlcode: -2033. DB2 sqlerrmc: 5802

Problem
Impossible to restore TSM database 6.1 on Windows 2008 64-bits (Ex: TSM Install directory : C:\TSM)
Problem for Tivoli Storage Manager to complete a database restoration with DB2 SQLCODE: -2033 and sqlerrmc 5802

Cause
With Tivoli Storage Manager 6.1 Fixpack 5 the TSM API display version 6.2.1

I note this when I run dsmsutil.exe utility before "dsmserv restore db"
Just for test, dsmapipw is normally use on Unix.

C:\TSM\db2\adsm\dsmapipw.exe
**************************
* Tivoli Storage Manager
* API Version = 6.2.1
**************************
Actual password:TSMDBMGR
New password:TSMDBMGR
Environment setup failed: (5802)

C:\TSM\db2\BIN\db2adutl.exe query
Environment problem

Resolving the problem

In most case the reinstallation of TSM client correct the problem.
In my case, I needed to compare version of all TSM API binary in Extraction directory with installation path.
right clic > properties > detail > and check the file version.
Ex: compare C:\tsm_image\TSM_BA_client\system64\tsmapi64.dll and C:\Windows\system32\tsmapi64.dll

In my case tsmapi64.dll, dsmntapi64.dll and tsmutil164.dll from C:\Windows\system32\ directory display 6.2.1 version, the new TSM client 6.1 installation wasn't overwrite file in system32 directory, but write 6.1.5.0 in registry ???
I must overwrite manually the wrong files with correct dll from C:\tsm_image\TSM_BA_client\system64, then reload TSM database recovery process ... that's works

Below a example of TSM 6.1 disaster recovery from scratch:

- remove TSM 6.1 => C:\TSM\_uninst\Uninstall Tivoli Storage Manager.exe

- remove TSM client 6.1 => Control panel > software > remove TSM client

- remove old Windows service => Ex: sc delete "TSM Scheduler"

- reboot Windows 2008 64-bits Operating system

- install TSM server 6.1.0.0 64-bits => CZ1N9ML.exe

- install TSM client 6.1.0.0 64-bits => 6.1.0.0-TIV-TSMBAC-WinX64.exe

- apply fixpack 6.1.5.0 => 6.1.5.0-TIV-TSMALL-WindowsX64.exe and 6.1.5.0-TIV-TSMBAC-WinX64.exe

- check Windows environment variable after new installation for DB2 and Global Secure ToolKit (GSK7_64)
Update the variable and remove old PATH that cannot be removed during uninstall.

- reboot and log back in with db2user1 account created during tsm install

- check and remove registry directory Server1 only:
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Server\Server1

- run C:\TSM\server\dsmicfgx.exe and create a new TSM Server1 instance

- after, stop the Windows services for the fresh TSM instance (TSM Server1) and TSM db2 instance (DB2 - DB2TSM1 - SERVER1)

- open the db2 command line processor

C:\TSM\db2\bin\db2cmd.exe

- list db2 instance

db2ilist

- drop instance SERVER1

db2idrop Server1

- create db2 instance for new TSM instance SERVER1

db2icrt -u db2user1 Server1

- set Windows environment variable DB2INSTANCE

set DB2INSTANCE=Server1

- set db2 environment variable DB2_VENDOR_INI for DB2 instance Server1

db2set -i server1 DB2_VENDOR_INI=C:\TSM\Server1\tsmdbmgr.env

- restart db2

db2stop
db2start

- Ensure that the DSMI_CONFIG environment variable points to a valid TSM options file

set DSMI_CONFIG=C:\TSM\Server1\tsmdbmgr.opt

- Enter the following command on one line

C:\TSM\server\dsmsutil.exe UPDATEPW /NODE:$$_TSMDBMGR_$$ /PASSWORD:TSMDBMGR /VALIDATE:NO

! A directory Server1 is created during the initial instance creation.
- remove all files and directory in the database, active log and archive log installation directory
Ex:
D:\tsm01\db01
E:\tsm01\db02
F:\tsm01\db03
G:\tsm01\db04
H:\tsm01\actlog
I:\tsm01\archlog

- restore the volhist.dat, dsmserv.opt, devconfig.dat need by "dsmserv restore db" files to C:\TSM\Server1

- create a text file C:\TSM\Server1\dbdir.txt with database paths like :
D:\tsm01\db01
E:\tsm01\db02
F:\tsm01\db03
G:\tsm01\db04

- from the C:\TSM\Server1 directory run :

C:\TSM\server\dsmserv.exe restore db activelogd=H:\tsm01\actlog recoveryd=I:\tsm01\archlog on=C:\TSM\Server1\dbdir.txt

- after database restore, try to start the Tivoli Storage Manager server in the foreground with dsmserv.exe :

C:\TSM\server\dsmserv.exe -k Server1

Once this looks good, then halt it and start the Tivoli Storage Manager "TSM Server1" service

- If you have this below message, empty directory archive log and reload dsmserv.exe

ANR1905E Path I:\tsm01\archlog for ARCHLOGDIRECTORY does not exist or is not empty.

Help

if you want to know what the DB2 error means :

C:\TSM\db2\bin\db2cmd.exe db2

(c) Copyright IBM Corporation 1993,2007
Interpréteur de commandes de DB2 Client 9.5.6
db2 => ? sql-2033

For the SQLERRMC value check the include file "C:\TSM\api64\INCLUDE\dsmrc.h"

/*=============================================================================
Return codes 5801 - 5849 are reserved for cryptography/security
=============================================================================*/
#define DSM_RC_CRYPTO_ICC_CANNOT_LOAD 5802

Good luck

Remplis sous: TSM Aucun commentaire

Anciennes »

unixadmin.free.fr just another IBM blog