Blog

Apr
29

Heartbleed OpenSSL fixes

IBM has produced security bulletins which contains a link to the latest OpenSSL updates:

(shortend links to IBM pages)

http://goo.gl/qBnP7V

http://goo.gl/QACSP8

http://goo.gl/QACSP8

Remember that you should think very seriously about obtaining a replacement certificate once you have patched your system to ensure that your system is completely protected as it may already have been compromised, and your current certificate stolen.

Blog

Apr
28

DB2 Licencing

DB2 is installed from scripts and the licencing status can be hard to find. You need to locate the db2licm executable and then run it as follows:

# /opt/IBM/db2/V9.7/adm/db2licm -l
Product name:                     “DB2 Workgroup Server Edition”
License type:                     “Trial”
Expiry date:                      “07/13/2014”
Product identifier:               “db2wse”
Version information:              “9.7”
Max number of Value Units:        “480”
Max amount of memory (GB):        “64”

Product name:                     “DB2 Connect Server”
License type:                     “Trial”
Expiry date:                      “07/13/2014”
Product identifier:               “db2consv”
Version information:              “9.7”

or for the DB2 LDAP installation:

# /usr/opt/db2_08_01/adm64/db2licm -l
Product Name                            = “DB2 Enterprise Server Edition”
Product Identifier                      = “DB2ESE”
Version Information                     = “8.2”
Expiry Date                             = “Permanent”
Registered Connect User Policy          = “Disabled”
Number Of Entitled Connect Users        = “5”
Enforcement Policy                      = “Soft Stop”
Number of processors                    = “2”
Number of licensed processors           = “101”
Database partitioning feature           = “Not entitled”
Annotation                              = “”
Other information                       = “”

Product Name                            = “DB2 High Availability Disaster Recovery Option”
Product Identifier                      = “DB2HADR”
Version Information                     = “8.2”
Expiry Date                             = “Permanent”
Annotation                              = “”
Other information                       = “”

Product Name                            = “DB2 Advanced Security Option”
Product Identifier                      = “DB2ASO”
Version Information                     = “8.2”
Expiry Date                             = “Permanent”
Annotation                              = “”
Other information                       = “”

28-04-2014
Related

Blog

Apr
28

Improving name resolution performance

AIX 6.1 introduced the netcd daemon which caches protocol (e.g. DNS) resolutions. It is started by the SRC (System Resource Controller) from “/etc/rc.tcpip”, however it is normally commented out/disabled and won’t run unless you create a configuration file.

The default file is “/etc/netcd.conf”

A really basic example is:
# cat /etc/netcd.conf
cache  all  protocols   600  1440
This caches all protocol resolutions with a hash table of 600 lines for 24 hours.

Once the file has been created you can activate the daemon after each reboot by editing the “/etc/rc.tcpip” as follows:

# Start up netcd daemon
start /usr/sbin/netc “$src_running”

To manually start the daemon enter:
# startsrc -s netcd

To query it’s status:
# lssrc -l -s netcd
Subsystem         Group            PID          Status
netcd            netcd            12255406     active
Debug                            Inactive
Configuration File        /etc/netcd.conf
Configured Cache         local protocols
Configured Cache         dns protocols
Configured Cache         nisplus protocols
Configured Cache         nis protocols
Configured Cache         ulm protocols

The “/etc/netcd.conf” file has four different types of configurations:
_ Caching settings
_ Security settings
_ Log level settings
_ Daemon settings
The /etc/netcd.conf file has four different types of configurations:

1. Caching settings: You can specify what resolver should be cached:

# cache <type_of_cache> <type_of_map> <hash_size>< cache_ttl>
(default setting: cache all all 128 60)
(example for a DNS cache: cache dns hosts 128 0)

type_of_cache
Declares the type of cache. Possible values are all, local, dns, nis, nisplus, and yp.

type_of_map
Declares the map to be used to do the lookup. Check netcd.conf man page or look at the sample file for a complete list.

hash_size
Specifies the number of lines used for the cache. (An hash table is used to store the cache)

cache_ttl
Declares the time to life for a cache entry. The unit is minutes. The TTL is not used for local resource caches.

If you specify a value other than 0 for DNS caches, it will overwrite the TTL of the DNS server response.

2. Security settings:

You can specify under which user and group a netcddaemon should be run. The default user is root and the default group is system.

3. Log level settings:

The netcddaemon creates a log file in /var/tmp/netcd.log. You can specify a different log file location, a log file size limit in KB, and the number of log file rotations. The default setting is no size limit and therefore no rotations are taken.
    Use this syntax to change the settings:
    log_file <file>
    log_rotate <number>
    log_size <number>

4. Daemon settings

net_scan_frequency
Specifies how often netcddaemon looks for expired cache entries in network caches. The unit is min., default is 1.

local_scan_frequency

Specifies how often the netcddaemon checks for changes to the local resources. The unit is minutes, default is 1.

socket_queue_size
Indicates the message queue size. The unit is the number of outstanding requests, default value is 256.

Dump cache content

With the netcdctrl command you can dump the cache contents to a file. The dump can be either in binary or ascii format. To dump the DNS cache in ASCII format use the following command:
# netcdctrl -t dns -e hosts -a /tmp/netcd.cache.out

Displaying caching stats with netcdctrl

# netcdctrl -t dns -e hosts -s /tmp/netcd.stats
# more /tmp/netcd.stats
CACHE dns, hosts, name

 

Hash index : 0, Max number of entries : 0, Current number of entries : 0
Related

Blog

Apr
25

Capacity on demand

Have you ever wondered how you can find out which features were activated when your system was ordered?
All you need to know is your system serial number and this can easily be obtained by running:

# prtconf | egrep “System Model:|Machine Serial Number:”
System Model: IBM,9111-520
Machine Serial Number: 659B6FC

Now open the IBM web page:  http://www-912.ibm.com/pod/pod and enter your system type and serial number e.g.

System Type: 520
Serial Number: 65 – 9C8BF


You can also learn more about the features ordered from:
https://www-304.ibm.com/support/docview.wss?uid=isg3T1010860

Note
The machine ID number contains 12 characters in the following digit format:
xxyyyyyymmss. The xx positions indicate the system and is always 00. The yyyyyy
positions contain the unique ID number for the entire system. The mm position
represents the model ID. The ss position is the submodel number and is always 00.
The model ID describes the ID of the CPU Planar, not the model of the System as a
whole.

Most machines share a common model ID of 4C.

Blog

Apr
25

Updating Wget

When you update AIX to a later level you may notice that many RPMs such as wget no longer work and may simply produce core dumps.

If this is the case you need to download the following RPMs (or later versions):

libidn-1.28-1.aix5.1.ppc.rpm
openssl-1.0.1g-1.aix5.1.ppc.rpm
openssl-devel-1.0.1g-1.aix5.1.ppc.rpm
openssl-doc-1.0.1g-1.aix5.1.ppc.rpm
wget-1.15-1.aix5.1.ppc.rpm

and then install/update your RPM as follows:

# rpm -Uvh ./*rpm
libidn                      ##################################################
openssl                     ##################################################
openssl-devel               ##################################################
openssl-doc                 ##################################################
wget                        ##################################################

Wget should now be working again:

# wget -h
GNU Wget 1.15, a non-interactive network retriever.
Usage: wget [OPTION]… [URL]…

Mandatory arguments to long options are mandatory for short options too.

Startup:
-V,  –version           display the version of Wget and exit.
-h,  –help              print this help.
-b,  –background        go to background after startup.
-e,  –execute=COMMAND   execute a `.wgetrc’-style command.

Log…
..

25-04-2014

Blog

Apr
14

Comparing Patches

It is vital to regularly update your system in order to ensure you have the latest and most stable version of AIX and its utilities, and to protect yourself against attack. Failure to keep your systems up to date can also mean that if you have to call support a lot time could be wasted installing patches before you can implement a satisfactory solution.

Fortunately IBM has some tools that can make the job of maintaining patch leves, and install updates, much easier. When you visit Fix Central and select your patches there is a compare report link next to each patch set e.g.

If you download this text file to your AIX system you can then use the compare_report command to see which fixes you need and how the level of your system compares to that of the patch-set. e.g.

# compare_report -s -r ./6100-08-00-1241.compare -h -v

This example will  generate a list of the patch-sets that are of a higher or lower level than those in the fix-pack. For more details see the compare_report man page.
Once you have downloaded your patch-sets to your system you can either install them from smit or  by using my preferred method:

Change to the directory where you dowloaded the patches and run:

# inutoc .
# install_all_updates -Yd .
install_all_updates: Initializing system parameters.
install_all_updates: Log file is /var/adm/ras/install_all_updates.log
install_all_updates: Checking for updated install utilities on media.

install_all_updates: Result = SUCCESS

(Where -Y accepts all licence agreements and -d identifies the directory where the patches are stored)
The installation command produces a handy report in”/var/adm/ras/install_all_updates.log” that can be used to analyse the results of the pactch operation.

Related

Blog

Apr
14

OpenSSL heartBleed (CVE-2014-0160)

There seems to be a lot of mis-information at the moment and many pundits are suggesting that everyone should change their passwords NOW! Even stranger, they have even designed their own logo for the bug??

I would urge caution and say it is more sensible to wait and to see who is vulnerable, and when they applied the patch(es). Then, and only then would I suggest changing your passwords.

The fact is that if you have kept your AIX system up to date you are unlikely to have an old version of OpenSSL, and so not vulnerable to this particular exploit, however curiously there are reports that the latest versions are affected?

What we do know so far is that the following versions are NOT vulnerable:

OpenSSL 0.9.8
OpenSSL 1.0.0
OpenSSL 1.0.1g

Versions of OpenSSL 1.0.1 to 1.0.1f (inclusive) are vulnerable

A few days ago IBM issued a security advisory that can be accessed here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc
https://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc

14-04-2014

Blog

Apr
11

Mounting NFS shares from a Linux server

Almost every Unix/Linux server, except IBM, has “portcheck” enabled, which means that an NFS client must use reserved ports when connecting to the server.  Fortunately this setting can be changed on the fly, and can also be made permanent. If you attempt to mount an NFS filesystem from a Linux server without portcheck, you will receive the following error:

# mount centos:/home/export /mnt
mount: 1831-008 giving up on:
centos:/home/export
vmount: Operation not permitted.

Once portcheck is activated, you can mount the filesystem:

# nfso -o nfs_use_reserved_ports=1
Setting nfs_use_reserved_ports to 1
# mount centos:/home/export /mnt
# df -g /mnt
Filesystem    GB blocks      Free %Used    Iused %Iused Mounted on
centos:/home/export    401.31    239.08   41%   115639     1% /mnt

Managing portcheck

To activate portcheck: # nfso -o nfs_use_reserved_ports=1

To deactivate portcheck: # nfso -o nfs_use_reserved_ports=0

To make the change permanent: # nfso -p -o nfs_use_reserved_ports=1

If this setting does not survive a reboot, you can  manually edit the “/etc/tunables/nextboot” file as follows:
nfso:         nfs_use_reserved_ports = 1
# tuncheck -f /etc/tunables/nextboot

If interested in learning more about a tunable you can always use the “-h” option:
# nfso -h portcheck

Purpose: Checks whether an NFS request originated from a privileged port.

Values:
        Default: 0
       Range: 0 – 1
       Type: Dynamic
Unit: On/Off

Tuning: Value of 0 disables the port-checking that is done by the NFS server. A value of 1 directs the NFS server to do port checking on the incoming NFS requests. This is a configuration decision with minimal performance consequences.
If nfs_use_reserved_ports=0 AIX server uses nonreserved IP port numbers above 1024 when the NFS client communicates with the NFS server.
If nfs_use_reserved_ports=1 AIX server uses nonreserved IP port numbers below 1024 when the NFS client communicates with the NFS server.

11-04-2014

Blog

Apr
01

What difference does the $LANG variable make?

Everyone knows that changing the language setting $LANG can change  the way in which symbols such as € are displayed, however they may not  be aware of how it can subtlety change the way in which items such as  the datestamp on files e.g.

With the $LANG set to “C”:
crw-rw-rw-    1 root     system        2,  3 Oct 6 2011  /dev/zero

Snapshots for /test
Current  Name         Time
!          snapshot1    Tue Aug 14 14:40:52 2012
! *        snapshot2    Tue Aug 14 14:45:09 2012

With the $LANG set to “EN_US”:
crw-rw-rw-    1 root     system        2,  3 Oct 06 2011  /dev/zero

Snapshots for /test
Current  Name         Time
!          snapshot1    Tue Aug 14 14:40:52 CEST 2012
! *        snapshot2    Tue Aug 14 14:45:09 CEST 2012

Whilst these changes can seem purely cosmetic, and appear to make no  difference, if you are running automated tasks such as backup scripts  this can make them fail or behave oddly.

01-04-2014
Related