AIX 7.1 New Features

AIX 6.1 provided a wealth of new features and functionality, and upgrading from previous versions of the OS could prove a massive challenge, and demand that users learn a lot of new commands.

The change between versions 6.1 and 7.1 is far more subtle, and some cases almost imperceptable. The problem is that this has left many businesses wondering why they should bother whilst AIX 6.1 is still supported.

My personal view is that IBM will start to include more new Power-7 and Power-8 functionality in AIX 7.1, whilst only providing basic compability for version 6.1 users. A good example of this is that the new Active Memory™ Expansion technology is only available on (non Express) Power-7 and Power-7+ systems.

Here is a brief summary of the new functionality currently available:

1. The amepat (Active Memory™ Expansion Planning and Advisory Tool) command (also available in AIX 6.1)  can be used to plan and test the effectiveness of your AME configurations.

2. New switches have been added to the vmstat, lparstat, and svmon commands in order to monitor the effectiveness of AME configurations.

3. AIX 7.1 now supports NTP version 4. You can have both versions installed and flip between them by re-linking the “/usr/sbin/xntpd” executable.

4. New performance tuning options are available in the “/usr/lib/security/methods.cfg” file e.g.

program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = kadmind_timeout=300

5. AIX 7.1 can support up to 8192 user groups. Earlier versions only supported 128. This is the default setting and can be checked as follows:

# lsattr -El sys0 -a ngroups_allowed
ngroups_allowed 128 Number of Groups Allowed True

6. The “caseExactAccountName” option can now be added to the “/etc/security/ldap/ldap.cfg” file enabling AIX LDAP to conduct non-case-sensitive searches.

7. AIX 6.1 and 7.1 can now include a pathid in the system boot (bosboot) string (This is also available in later versions of 6.1)

# lspath -t
Enabled hdisk0 scsi1 0
Enabled hdisk1 scsi1 0
Enabled hdisk2 scsi1 0
Enabled hdisk3 scsi1 0

10. NFS-4 now includes the nfs4cl command (This is also available in later versions of 6.1)

# nfs4cl showfs

Server      Remote Path          fsid                 Local Path
——–    —————      —————      —————




Encrypted filesystems

EFS statusEFS was introduced at AIX 6.1. It enables files, directories, and  filesystems to be encrypted so that even root cannot access them without having the key/credentials. It also means that if your system is booted in maintenance mode, or a disk misplaced, the data remains safe.

In order to use EFS you first install the CLIC (crypto) libraries:
# lslpp -l ‘clic*’
Fileset                      Level  State      Description
Path: /usr/lib/objrepos
clic.rte.kernext   COMMITTED  CryptoLite for C Kernel
clic.rte.lib       COMMITTED  CryptoLite for C Library
Once installed you can run the “efseneable” command. This creates the “/var/efs” directory and adds entries to the ODM, “etc/security/user” and “/etc/security/group” files.

Risks and remediation

EFS is only secure so longer as the keys are not compromised.
WARNING! The default cipher is AES_128_CBC which is considered as  breakable. If you are concerned you should use the “-f cipher” argument  when running “efsenable”. You should also check the “/etc/security/user” and “/etc/security/group” to ensure that the default is set correctly:

lssec -f /etc/security/user -s default -a efs_keystore_algo -a efs_file_algo
lssec -f /etc/security/group -s default -a efs_keystore_algo