Download AIX ISO images from IBM

This post shows how to download AIX installation ISO images from the IBM Entitled Systems Support website. A valid IBMid and a current IBM software maintenance agreement (SWMA) are required for the download. As an example we show the download of the AIX installation ISO images for AIX 7.2 TL5. However, ISO images for other AIX versions or other software, e.g. PowerHA, can also be downloaded in the same way.

AIX and other software can be downloaded from the IBM Entitled Systems Support website. The URL for the website is:

https://www.ibm.com/servers/eserver/ess

IBM Entitled Systems Support (ESS)
Click on “Log in” to log into IBM Entitled Systems Support (ESS)

In order to log in, you need a valid IBMid and a valid software maintenance contract. After clicking on the blue “Log in” button, a login mask appears.

Entitled Systems Support (ESS) Log in
Specify the IBMid and then click the “Continue” button.

After entering a valid IBMid and confirming with the “Continue” button, you will be asked for a password.

Entitled Systems Support (ESS) Password
After entering the password, log in with the “Log in” button.

After entering the password, the main page of Entitled Systems Support appears.

Entitled Systems Support
“My Entitled Software” can be selected to download software.

“My Entitled Software” should be selected to download software.

ESS My Entitled Software
To download AIX or other software, the “Software Downloads” link must be selected.

From the displayed selection of options, the “Software Downloads” link should be clicked.

ESS Software Downloads
Select category “AIX” and group “V7R2 (GA)” for AIX 7.2. Then click on the magnifying glass.

The software to be downloaded can be selected either by specifying the category, or the machine type, or by directly selecting a product. We show the variant “By category”, by selecting the category “AIX” and the desired version “V7R2 (GA)” for AIX 7.2.

ESS AIX 7.2 TL Support
To download a specific AIX 7.2 TL, “AIX 7.2 TL support” should be selected and then the selection should be confirmed with the “Continue” button.

From the list of available “AIX 7.2” products, “AIX 7.2 TL support” should be selected.

ESS AIX 7.2 TL5
Select the AIX 7.2 TLs 05 and confirm with “Continue”.

From the list of available packages, the package for the desired TL (AIX 7.2 TL05) should be selected. Pressing the “Continue” button confirms the selection.

Before the software can finally be downloaded, IBM’s general terms and conditions must be confirmed.

ESS Software Downloads Terms and Conditions
The general terms and conditions must be confirmed here.

Next you have to select whether the download should be done via the browser or with the help of the download director. We have decided to download using a browser.

ESS Software Download method
We select download with the browser and confirm with “Continue”.

Next, the available images are displayed. We select the install images “AIX v7.2 Install DVD 1”, “AIX v7.2 Install DVD 2” and “AIX v7.2 Install flash”.

ESS Software Download Start
Start the download of the AIX 7.2 TL5 ISO images by clicking “AIX v7.2 Install DVD 1” and “AIX v7.2 Install DVD 2”.

The progress of the download can be followed via the browser:

ESS Software Download Progress
Download progress via the browser.

PowerHA, PowerVM or any other software can be downloaded in the same way via IBM Entitled Systems Support (ESS). However, a valid software maintenance contract for the corresponding software is always required.

LPAR tool: Console

lpar console

A console can be opened for an LPAR at any time using the LPAR tool:

$ lpar console lpar01
Open in progress
Open completed.
PowerPC Firmware
SMS 1.7 (c) Copyright IBM Corp. 2000,2008 All rights reserved.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Main Menu
1. Select Language
2. Setup Remote IPL (Initial Program Load)
3. Change SCSI Settings
4. Select Console
5. Select Boot Options
…

To terminate a console session, the escape sequence “~.” used.

Some LPAR tool commands support opening a console via the “-c” (console) option:

    • Activating an LPAR with “lpar activate -c“.
    • Shutting down an LPAR with “lpar shutdown -c“.
    • Shutting down the operating system with “lpar osshutdown -c“.
    • Initiating a system dump for an LPAR with “lpar dumprestart -c“.

A presentation on the subject can be found here: Console with the LPAR tool

ANS1592E Failed to initialize SSL protocol.

During a TSM operation, the following error message occurs:

# dsmc q sess -se=TSM01
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 9.0
  Client date/time: 12/09/22   08:33:24
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Node Name: aixdbt01
ANS1592E Failed to initialize SSL protocol.

#

A possible cause is the missing certificate of the associated TSM instance, in the above case TSM01. The missing certificate can be found on the TSM server in the directory of the instance. The instance directory is usually given to the TSM server process (dsmserv) when it is started with the “-i” option:

# ps -ef|grep dsmser[v]
   tsm01 29295008        1 1198   Nov 08      - 54389:56 /opt/tivoli/tsm/server/bin/dsmserv -i /appdata/cf/TSM01 -o /appdata/cf/TSM01/TSM01.opt -q
#

In this case /appdata/cf/TSM01 is the instance directory. This directory contains the instance’s certificate in the cert256.arm file:

# ls -l /appdata/cf/TSM01/cert256.arm
-rw-r--r--    1 tsm01    tsm            1164 Apr 13 2021  /appdata/cf/TSM01/cert256.arm
#

The certificate cert256.arm should then be copied to the client system, we assume it has been copied to /tmp.

The dsmcert command for managing certificates is located under /usr/tivoli/tsm/client/ba/bin64. The certificate can then be installed (added) with the following call:

# cd /usr/tivoli/tsm/client/ba/bin64
# ./dsmcert -add -server TSM01 -file /tmp/cert256.arm
IBM Spectrum Protect
dsmcert utility
  dsmcert Version 8, Release 1, Level 9.0
  dsmcert date/time: 12/09/22   08:44:26
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Result : Success
#

Subsequent access to the TSM instance using e.g. “dsmc q sess” should then work:

# dsmc q sess -se=TSM01
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 9.0
  Client date/time: 12/09/22   08:44:55
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Node Name: aixdbt01
Session established with server TSM01: AIX
  Server Version 8, Release 1, Level 16.000
  Server date/time: 12/09/22   08:44:56  Last access: 12/09/22   03:02:56

IBM Spectrum Protect Server Connection Information

Home Server Name........: TSM01
Server Type.............: AIX
Archive Retain Protect..: "No"
Server Version..........: Ver. 8, Rel. 1, Lev. 16.0
Last Access Date........: 12/09/22   03:02:56
Delete Backup Files.....: "No"
Delete Archive Files....: "No"
Deduplication...........: "Server Only"

Node Name...............: aixdbt01
User Name...............: root

SSL Information.........: TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Secondary Server Information
Not configured for failover

#

CVE-2021-25220: AIX is vulnerable to cache poisoning due to ISC BIND

CVE-2021-25220 describes a vulnerability in ISC BIND. Using our tool “apar“, some questions are examined and answered below, such as: is my system affected by this vulnerability, where can I find a more detailed description of the vulnerability, where can I find a fix to close the vulnerability, are there other vulnerabilities of which my system is affected?

Note: The “apar” tool is available in our download area in versions for AIX (VIOS), Linux and MacOS. It includes a time-limited trial license. See the Manage and Access APARs for more information on using the tool.

Is my system affected by this vulnerability?

Information about the vulnerability can be displayed using the “apar show” command and the “CVE-2021-25220” argument:

$ apar show CVE-2021-25220
type:         sec
product:      aix
versions:     7300-00-01,7300-00-02
abstract:     AIX is vulnerable to cache poisoning due to ISC BIND
apars:        CVE-2021-25220,IJ40614
fixedIn:      7300-00-03
ifixes:       IJ40614m2b.220718.epkg.Z
bulletinUrl:  https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
filesets:     bos.net.tcp.bind:7.3.0.0-7.3.0.1,bos.net.tcp.bind_utils:7.3.0.0-7.3.0.1
issued:       20220728
updated:      
siblings:    
download:     https://aix.software.ibm.com/aix/efixes/security/bind_fix21.tar
cvss:         CVE-2021-25220:6.8
reboot:       no
…
$

Multiple records are displayed. There are separate records for different AIX and VIOS versions. Each record contains a line with the associated AIX or VIOS versions (line “versions: …”). In addition, the affected filesets are listed, including the version (line “filesets: …”). If, for example, AIX 7300-00-01 or 7300-00-02 is installed on my system (command “oslevel –s”) and I have one of the fileset versions listed (command “lslpp –l bos.net.tcp.bind bos.net .tcp.bind_utils“), then my system is affected by the vulnerability.

Where can I find a more detailed description of the vulnerability?

IBM typically offers more detailed information about a vulnerability via a so-called bulletin. The URL for the bulletin is shown in the output of “apar show” (above) on the line beginning with “bulletinUrl: …”. In the case above, this is https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc . This URL can be specified in a browser. When using the “apar” command, the bulletin can also be displayed directly on the command line, this can be done with the command “apar bulletin” and the number of the CVE (here CVE-2021-25220) or the fix or APAR number ( e.g. IJ40614):

$ apar bulletin CVE-2021-25220
IBM SECURITY ADVISORY

First Issued: Thu Jul 28 13:24:22 CDT 2022

The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
https://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc
ftp://aix.software.ibm.com/aix/efixes/security/bind_advisory21.asc

Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND
    (CVE-2021-25220)

===============================================================================

SUMMARY:

    A vulnerability in ISC BIND could allow a remote attacker to poison the
    cache (CVE-2021-25220). AIX uses ISC BIND as part of its DNS functions.


===============================================================================

VULNERABILITY DETAILS:

    CVEID: CVE-2021-25220
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
    DESCRIPTION: ISC BIND could allow a remote attacker to bypass security
        restrictions, caused by an error when using DNS forwarders. An
        attacker could exploit this vulnerability to poison the cache with
        incorrect records leading to queries being made to the wrong servers,
        which might also result in false information being returned to
        clients.
    CVSS Base Score: 6.8
    CVSS Temporal Score: See
        https://exchange.xforce.ibmcloud.com/vulnerabilities/221991
        for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
…
$

All associated APARs are usually listed in the bulletin. You will also find an overview of the fixes and corresponding versions.

Where can I find a fix to close the vulnerability?

In the records above, you will also find a listing of the associated fixes in the line beginning with “ifixes: …”. In the case mentioned, this is the fix IJ40614m2b.220718.epkg.Z. In many cases, several fixes are listed and you have to select the correct fix from the list. The description in the bulletin is helpful here, with a list of which fix is to be used for which version.

The URL for downloading the fix(s) is given in the line beginning with “download: …”, in the current case this is the following URL:

https://aix.software.ibm.com/aix/efixes/security/bind_fix21.tar

The fix can be downloaded with a browser, for example. When using the “apar” command, however, this is even easier using the command line. The “apar” command can be invoked with the argument “download” and the CVE number or fix number. Then it downloads the fix and stores it in the current working directory:

$ apar download CVE-2021-25220
downloading bind_fix21.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19.1M  100 19.1M    0     0  1480k      0  0:00:13  0:00:13 --:--:-- 1672k
$

The fix is saved under the name used in the URL, here bind_fix21.tar.

Are there other vulnerabilities affecting my system?

The command “apar check” can be used to examine a system for known vulnerabilities. In order for the command to be able to access the information about installed fixes, the command must be started with root privileges.

Here is an example of a system with all relevant fixes installed:

aix01 # apar check
SUMMARY: 2/2 fixes installed
aix01 #

And below is an example of a system with only a few relevant fixes installed:

aix02 # apar check
SUMMARY: 4/8 fixes installed (2 APARs have no fix specified)
aix02 #

Of the 8 known (IBM disclosed) vulnerabilities, only 4 of the vulnerabilities have the associated fixes installed. If you want to know which vulnerabilities are open, one of the options “-b” (brief report) or “-l” (long report) can be used:

aix02 # apar check -b
20220817  sec  aix  CVE-2022-1292,CVE-2022-2068,CVE-2022-2097  AIX is vulnerable to arbitrary command execution due to OpenSSL
INSTALLED: no fix installed

20220912  sec  aix  CVE-2022-36768  AIX is vulnerable to a privilege escalation vulnerability due to invscout
INSTALLED: no fix installed

20220923  sec  aix  CVE-2021-20266,CVE-2021-20271,CVE-2021-3421  AIX is vulnerable to arbitrary code execution and RPM database corruption and denial of service due to RPM.
INSTALLED: no fix installed

20220928  sec  aix  CVE-2018-25032  AIX is vulnerable to denial of service due to zlib and zlibNX
INSTALLED: no fix installed

SUMMARY: 4/8 fixes installed (2 APARs have no fix specified)
aix02 #

The “apar” command supports further options, which are described in Manage and Access APARs.

Manage and Access APARs

Keeping AIX and virtual I/O servers up to date with regard to HIPER and SECURITY fixes has become enormously important in recent years. To do this, the systems must be checked regularly for any missing fixes. The appropriate fixes must be downloaded and then installed. Determining which fix needs to be installed on a particular system often involves viewing bulletins with a web browser. PowerCampus 01 provides the ‘apar‘ command to simplify the management of fixes. This makes working with fixes and APARs as well as CVEs much easier.

Some sample uses of the ‘apar‘ command

The ‘apar‘ command allows the download of HIPER and SECURITY fixes, the checking of systems (AIX and VIOS) for installed and missing fixes, as well as the display and targeted search for fixes. In order to be able to use all functionalities, a direct Internet connection or a connection via an http proxy server is required. The command is available in versions for AIX, Linux and MacOS. A number of example calls are shown below.

Example 1: What fixes have been released in the last 30 days?

$ apar last
20220817  sec  aix  CVE-2022-1292,CVE-2022-2068,CVE-2022-2097  AIX is vulnerable to arbitrary command execution due to OpenSSL
20220912  sec  vios  CVE-2022-29824,IJ42339,IJ42378,IJ42379  AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912  sec  vios  CVE-2022-29824,IJ42339,IJ42378,IJ42379  AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912  sec  aix  CVE-2022-29824,IJ42339,IJ42378,IJ42379  AIX is vulnerable to a denial of service due to libxml2
20220912  sec  aix  CVE-2022-29824,IJ42341  AIX is vulnerable to a denial of service due to libxml2
20220912  sec  aix  CVE-2022-29824,IJ42381  AIX is vulnerable to a denial of service due to libxml2
20220912  sec  vios  CVE-2022-29824,IJ42381  AIX is vulnerable to a denial of service due to libxml2 for VIOS
20220912  sec  vios  CVE-2022-34356,IJ41396,IJ41685,IJ41795  AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912  sec  aix  CVE-2022-34356,IJ41396,IJ41685,IJ41795  AIX kernel is vulnerable to a privilege escalation vulnerability
20220912  sec  vios  CVE-2022-34356,IJ41396,IJ41685,IJ41795  AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912  sec  aix  CVE-2022-34356,IJ41687  AIX kernel is vulnerable to a privilege escalation vulnerability
20220912  sec  aix  CVE-2022-34356,IJ41688  AIX kernel is vulnerable to a privilege escalation vulnerability
20220912  sec  vios  CVE-2022-34356,IJ41706  AIX kernel is vulnerable to a privilege escalation vulnerability for VIOS
20220912  sec  aix  CVE-2022-34356,IJ41706  AIX kernel is vulnerable to a privilege escalation vulnerability
20220912  sec  aix  CVE-2022-36768  AIX is vulnerable to a privilege escalation vulnerability due to invscout
$

Example 2: Displaying information about APAR ID IJ42341.

$ apar show IJ42341
type:         sec
product:      aix
versions:     7300-00-01,7300-00-02
abstract:     AIX is vulnerable to a denial of service due to libxml2
apars:        CVE-2022-29824,IJ42341
fixedIn:      7300-00-04
ifixes:       IJ42341s2a.220907.epkg.Z
bulletinUrl:  https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
filesets:     bos.rte.control:7.3.0.0-7.3.0.1
issued:       20220912
updated:      
siblings:    
download:     https://aix.software.ibm.com/aix/efixes/security/libxml2_fix3.tar
cvss:         CVE-2022-29824:5.5
reboot:       no
$

Example 3: Viewing the bulletin for APAR ID IJ42341.

$ apar bulletin IJ42341
IBM SECURITY ADVISORY

First Issued: Mon Sep 12 15:07:01 CDT 2022

The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc
ftp://aix.software.ibm.com/aix/efixes/security/libxml2_advisory3.asc

Security Bulletin: AIX is vulnerable to a denial of service due to libxml2
    (CVE-2022-29824)
…

    REMEDIATION:

        A. APARS
           
            IBM has assigned the following APARs to this problem:

            AIX Level APAR     Availability  SP        KEY
            -----------------------------------------------------
            7.2.4     IJ42381  **            N/A       key_w_apar
            7.2.5     IJ42339  **            SP06      key_w_apar
            7.3.0     IJ42341  **            SP04      key_w_apar
…
$

Example 4: Download the fix for APAR IJ42341.

$ apar download IJ42341
downloading libxml2_fix3.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 30.8M  100 30.8M    0     0  1522k      0  0:00:20  0:00:20 --:--:-- 1638k
$

The fix is downloaded to the current working directory.

Example 5: Searching for fixes for the keywords ‘memory‘ and ‘leak‘.

$ apar search memory leak
20141029  CVE-2014-3513,CVE-2014-3566,CVE-2014-3567  AIX OpenSSL Denial of Service due to memory leak in  DTLS / AIX OpenSSL Patch to mitigate CVE-2014-3566 / AIX OpenSSL Denial of Service due to memory consumption
20150319  IV71217  NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
20150319  IV71217  NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
20150319  IV71219  NODE DOWN IN CAA CLUSTER DUE TO CONFIGRM MEMORY LEAK
$

Example 6: Checking the current system (AIX or VIOS).

# time apar check
SUMMARY: 6/21 fixes installed (3 APARs have no fix specified)

Real   2.00
User   0.40
System 0.23
#

To check a system for fixes, root privileges are required to determine the list of installed fixes.

The check took 2 seconds and determined that only 6 out of 21 of the existing fixes are installed.

The missing fixes can be displayed using the option ‘-b‘ (brief listing) or ‘-l‘ (long listing):

# time apar check -b
20210315  sec  aix  CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803,CVE-2020-27221,CVE-2020-2773  Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed

20210730  sec  aix  CVE-2021-29741,IJ30557  There is a vulnerability in Korn Shell (ksh) that affects AIX
INSTALLED: no fix installed

20210819  hiper  aix  IJ34376  Applications can terminate on systems with active IPv6 traffic
INSTALLED: no fix installed

20210825  sec  aix  CVE-2021-29727,CVE-2021-29801,CVE-2021-29862,IJ32631  There are multiple vulnerabilities in the AIX kernel
INSTALLED: no fix installed

20210915  sec  aix  CVE-2021-2161,CVE-2021-2369,CVE-2021-2432  Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed

20211116  sec  aix  CVE-2021-29860,IJ32714,IJ32736  There is a vulnerability in the libc.a library that affects AIX
INSTALLED: no fix installed

20211116  sec  aix  CVE-2021-29861,IJ35078,IJ35211  There is a vulnerability in EFS that affects AIX
INSTALLED: no fix installed

20220106  sec  aix  CVE-2021-3712  There is a vulnerability in OpenSSL used by AIX.
INSTALLED: no fix installed

20220106  sec  aix  CVE-2021-41617  Vulnerabilities in OpenSSH affect AIX.
INSTALLED: no fix installed

20220223  sec  aix  CVE-2021-2341,CVE-2021-35556,CVE-2021-35559,CVE-2021-35560,CVE-2021-35564,CVE-2021-35565,CVE-2021-35578,CVE-2021-35586,CVE-2021-41035  Multiple vulnerabilities in IBM Java SDK affect AIX
INSTALLED: no fix installed

20220223  sec  aix  CVE-2021-38994,CVE-2021-38995,IJ37012  There are multiple vulnerabilities in the AIX kernel.
INSTALLED: no fix installed

20220228  sec  aix  CVE-2021-38955,IJ38117,IJ38119  There is a vulnerability in the AIX audit user commands.
INSTALLED: no fix installed

20220301  sec  aix  CVE-2021-38996,CVE-2022-22350,IJ36682,IJ37512  There are multiple vulnerabilities in AIX CAA.
INSTALLED: no fix installed

20220304  sec  aix  CVE-2021-38989,IJ37488,IJ37778  There is a vulnerability in the AIX pmsvcs kernel extension.
INSTALLED: no fix installed

20220304  sec  aix  CVE-2022-22351,IJ36681,IJ37706  There is a vulnerability in the AIX nimsh daemon.
INSTALLED: no fix installed

SUMMARY: 6/21 fixes installed (3 APARs have no fix specified)

Real   1.90
User   0.32
System 0.18
#

Example 7: Download all fixes for IOS version 3.1.3.21.

$ apar download 3.1.3.21
downloading lpd_fix2.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  270k  100  270k    0     0   197k      0  0:00:01  0:00:01 --:--:--  197k
downloading bind_fix21.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19.1M  100 19.1M    0     0  1498k      0  0:00:13  0:00:13 --:--:-- 1665k
downloading vios_fix.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 32.7M  100 32.7M    0     0  1571k      0  0:00:21  0:00:21 --:--:-- 1750k
downloading kernel_fix4.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  138M  100  138M    0     0  1618k      0  0:01:27  0:01:27 --:--:-- 1671k
downloading libxml2_fix3.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 30.8M  100 30.8M    0     0  1537k      0  0:00:20  0:00:20 --:--:-- 1643k
$
$ ls -l
total 453952
-rw-r--r--    1 user01  staff   20080640 Sep 17 10:48 bind_fix21.tar
-rw-r--r--    1 user01  staff  145326080 Sep 17 10:50 kernel_fix4.tar
-rw-r--r--    1 user01  staff   32378880 Sep 17 10:51 libxml2_fix3.tar
-rw-r--r--    1 user01  staff     276480 Sep 17 10:48 lpd_fix2.tar
-rw-r--r--    1 user01  staff   34355200 Sep 17 10:49 vios_fix.tar
$

Similarly, all fixes for a specific AIX version can be downloaded by specifying the AIX version!

Example 8: Checking NIM clients for fixes

# apar check aix01 aix02 vios1
aix01: 13/16 fixes installed
aix02: 4/12 fixes installed (1 APAR has no fix specified)
vios1: 17/20 fixes installed (3 APARs have no fix specified)
#

Any number of NIM clients can be specified. NIM groups (mac_group) can also be specified.

Example 9: Checking a NIM client and downloading missing fixes

# apar check -d aix07
aix07: 13/16 fixes installed
downloading efs_fix.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5010k  100 5010k    0     0  1079k      0  0:00:04  0:00:04 --:--:-- 1241k
downloading kernel_fix3.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  142M  100  142M    0     0  1637k      0  0:01:29  0:01:29 --:--:-- 1684k
downloading bind_fix20.tar ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19.1M  100 19.1M    0     0  1494k      0  0:00:13  0:00:13 --:--:-- 1596k
#

The fixes are placed in the current directory.

Example 10: View fixes for a specific fileset

$ apar show bos.cluster.rte
type:         hiper
product:      vios
versions:     2.2.3.80,2.2.3.90
abstract:     CAA:SLOW GOSSIP RECEIPT ON BOOT MAY CAUSE PARTITIONED CLUSTER
apars:        IV97148
fixedIn:      See Advisory
ifixes:       IV97148s8a.170613.61TL09SP08.epkg.Z,IV97148s8a.170613.epkg.Z,IV97148s9b.171030.61TL09SP09.epkg.Z,IV97148s9b.171030.epkg.Z
bulletinUrl:  http://www-01.ibm.com/support/docview.wss?uid=isg1IV97148
filesets:     bos.cluster.rte:6.1.9.200-6.1.9.201
issued:       20171108
updated:      
siblings:     6100-09:IV97148 7100-04:IV97265 7200-01:IV97266
download:     https://aix.software.ibm.com/aix/ifixes/iv97148/
cvss:         
reboot:       yes
…
$

A version can also be specified:

$ apar show bos.cluster.rte:7.2.5.1
type:         sec
product:      aix
versions:     7200-05-01,7200-05-01-2038,7200-05-01-2039,7200-05-02,7200-05-02-2114,7200-05-03-2135,7200-05-03-2136,7200-05-03-2148
abstract:     There are multiple vulnerabilities in AIX CAA.
apars:        CVE-2021-38996,CVE-2022-22350,IJ36682,IJ37512
fixedIn:      7200-05-04
ifixes:       IJ36682s3a.220228.epkg.Z,IJ36682s3b.220228.epkg.Z,IJ37512s1a.220228.epkg.Z,IJ37512s2a.220228.epkg.Z
bulletinUrl:  https://aix.software.ibm.com/aix/efixes/security/caa_advisory2.asc
filesets:     bos.cluster.rte:7.2.5.0-7.2.5.1,bos.cluster.rte:7.2.5.100-7.2.5.101
issued:       20220301
updated:      
siblings:    
download:     https://aix.software.ibm.com/aix/efixes/security/caa_fix2.tar
cvss:         CVE-2022-22350:6.2 / CVE-2021-38996:6.2
reboot:       yes
…
$

Information about the ‘apar‘ command

The curl command is used to download files. It is available, for example, on the AIX toolbox. If curl is not installed or there is no connection to the Internet (with or without a proxy), then the download functionality of the ‘apar‘ command cannot be used. However, all other functions such as viewing APARs, checking for fixes, or searching for specific APARs can still be used without such a connection.

If a proxy is required, it can be configured using one of the two files /opt/pwrcmps/etc/tools.cfg or ~/.tools.cfg, e.g.:

# The HTTP proxy to use
# Default: (none)
HttpProxy: http://172.168.10.12:3333

We recommend using the /opt/pwrcmps/etc/tools.cfg file for the proxy configuration, as this is valid for all users.

The ‘apar‘ command requires the CSV file apar.csv which contains data records of all HIPER and SECURITY fixes. This file is made available by IBM at the following URL:

https://esupport.ibm.com/customercare/flrt/doc?page=aparCSV

By default, the ‘apar‘ command first searches for this file in the user’s home directory and then under /opt/pwrcmps/etc. If the file is not available in both places, the file will be downloaded from IBM using the URL above. The behavior can be configured via one of the two files /opt/pwrcmps/etc/tools.cfg or ~/.tools.cfg:

# The order of locations to look for the apar.csv file
# Default: ~,/opt/pwrcmps/etc,ibmwebsite
#AparCsvResolve:

We recommend downloading the file regularly using a crontab entry and storing it under /opt/pwrcmps/etc/apar.csv. The file can then be used by all users without having to download it again for each command call.

The download can be done using the following call:

$ apar getcsv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2834k    0 2834k    0     0  1240k      0 --:--:--  0:00:02 --:--:-- 1240k
$

The file is stored in the current directory. A crontab call from root for regular download could look like this:

( cd /opt/pwrcmps/etc; apar getcsv )

The ‘apar‘ command can be downloaded from our download area, it includes a time-limited test license for evaluation purposes.

SSHD: Effective Values of Keywords

By default, the sshd service uses the configuration file /etc/ssh/sshd_config. There the service can be configured in detail using keyword/value pairs. There are around 80 such keywords (depending on the SSH version). If a keyword is not listed in the configuration file, then a default value applies. However, this can depend on the version of SSH used. Then it is not always clear what value a certain keyword has. But that can be found out very easily with the help of sshd itself! There is an “extended test mode” for this, which can be started with the “-T” option. Sshd then checks the validity of the current configuration, prints the effective configuration, and then exits:

# sshd -T
port 22
addressfamily inet
listenaddress 0.0.0.0:22
usepam yes
logingracetime 120
x11displayoffset 10
x11maxdisplays 1000
maxauthtries 6
maxsessions 1024
clientaliveinterval 60
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin forced-commands-only
…
#

Root privileges are required.

This makes it very easy to determine the effective value of any keyword.

NTP Configuration on HMC with LPAR tool

NTP-Konfiguration HMC

The current status of NTP on an HMC can then be displayed using “hmc lsntp“:

$ hmc lsntp
NAME   XNTP     XNTPSTATUS    XNTPSERVER
hmc01  disable  -             -
hmc02  enable   synchronized  192.168.189.77,192.168.189.78
hmc03  enable   synchronized  192.168.189.77,192.168.189.78
$

Another NTP server can be added to the NTP configuration of an HMC using the “hmc addntpserver” command:

$ hmc addntpserver hmc01 192.168.189.77
$ hmc addntpserver hmc01 192.168.189.78
$

A check with “hmc lsntp” shows that two NTP servers are now configured, but NTP is still not activated:

$ hmc lsntp hmc01
NAME   XNTP     XNTPSTATUS  XNTPSERVER
hmc01  disable  -           192.168.189.77,192.168.189.78
$

NTP can now be activated with the command “hmc enablentp“:

$ hmc enablentp hmc01
$

The first sync may take a while:

$ hmc lsntp hmc01
NAME   XNTP    XNTPSTATUS      XNTPSERVER
hmc01  enable  unsynchronized  192.168.189.77,192.168.189.78
$

The time on the HMC is not yet synchronized immediately after enabling NTP (XNTPSTATUS: unsynchronized).

A detailed status for each NTP server can be obtained by using the “-a” option (all NTP servers):

$ hmc lsntp –a hmc01
NAME    SERVER         STATE          POLL_FREQ_SECONDS  SECONDS_SINCE_LAST_POLL
hmc01  192.168.189.77  not connected  64                 0
hmc01  192.168.189.78  not connected  64                 0
$

As soon as synchronization with one of the NTP servers is achieved, the overall status is synchronized:

$ hmc lsntp hmc01
NAME   XNTP    XNTPSTATUS    XNTPSERVER
hmc01  enable  synchronized  192.168.189.77,192.168.189.78
$

A more detailed description can be found here: NTP Configuration on the HMC

The LPAR tool can be downloaded for testing here: Download

History Expansion bash

Drawing Shell

Many AIX and UNIX users use bash as their preferred shell. Navigating in the history with the cursor keys is certainly used countless times a day by all users. As long as the interesting commands are only a short time ago, this works very well. However, for commands longer in the past, access using the cursor keys is relatively time-consuming. Who wants to press the cursor keys 50 times to access a command?

The bash history expansion mechanism offers a much more efficient option here. Previous commands can be accessed using the history expansion character “!“. The commands can be specified in different ways:

    • The number of the command: !31
    • The nth previous command: !-n (e.g. !-3 for the third last command)
    • The last command that begins with a specific character string: !ca
    • The last command that has a specific character string anywhere: !?ca

However, the possibilities of the bash are far from exhausted. You can specifically access individual arguments of a previous command and even make changes.

Here are a few of those options:

    • !! (run the last command again)
    • ^op^art (run the last command again, but replace “op” with “art“)
    • cat !?sam?:% (run the cat command on the last argument containing the string “sam“)
    • vi !$ (Run vi on the last argument of the last command)

A description of these and other bash options can be found here:

The bash History Expansion

The Command chrctcp

chrctcp

On AIX, the System Resource Controller (SRC) is used to control subsystems and subservers. Every AIX administrator is surely familiar with the lssrc, startsrc and stopsrc commands. The chrctcp command, which is used to manage subsystems that are started via /etc/rc.tcpip, is not quite as well known. By using this command, editing the start script /etc/rc.tcpip can be avoided. Most administrators only know and use the “-a” (add/activate), “-d” (delete/deactivate) and “-S” (start, stop or restart subsystem) options. However, the chrctcp command offers even more functionality via the options “-c” (change) and “-s” (show), which SMIT also uses. (After all, chrctcp was probably written specifically for use by SMIT.)

A number of subsystems are started at boot time via /etc/rc.tcpip. However, only if there is an entry of the following form in the /etc/rc.tcpip script:

start /usr/sbin/inetd "$src_running"

If a specific subsystem is not to be started at boot time, the relevant subsystem must be commented out in /etc/rc.tcpip:

#start /usr/sbin/inetd "$src_running"

In principle, the change can be made with an editor. However, there is a much more elegant way using the chrctcp command. If a specific service should not be started at next boot, chrctcp can be used with the “-d” option to comment out the service:

# chrctcp -d inetd
# grep /usr/sbin/inet /etc/rc.tcpip
#start /usr/sbin/inetd "$src_running"
#

This has no effect on the currently running subsystem. If you also want to stop the running subsystem, you can either use the “stopsrc –s” command or, which is much easier, simply use the “-S” option of chrctcp:

# chrctcp -S -d inetd
0513-044 The /usr/sbin/inetd Subsystem was requested to stop.
#

The subsystem is commented out in /etc/rc.tcpip and an eventually running subsystem is stopped as well.

You can proceed in a similar way if you want to use a previously unused service from /etc/rc.tcpip. The “-a” option can be used to activate the corresponding entry:

# grep /usr/sbin/inetd /etc/rc.tcpip
#start /usr/sbin/inetd "$src_running"
# chrctcp -a inetd
# grep /usr/sbin/inetd /etc/rc.tcpip
start /usr/sbin/inetd "$src_running"
#

Note: The entry ‘#start /usr/sbin/inetd “$src_running”‘ must already be present and at the correct place in the file!

If not only the file /etc/rc.tcpip is to be adjusted, but the service is also to be started immediately, the “-S” option can be used again:

# grep /usr/sbin/inetd /etc/rc.tcpip
#start /usr/sbin/inetd "$src_running"
# chrctcp -S -a inetd
0513-059 The inetd Subsystem has been started. Subsystem PID is 5636582.
# grep /usr/sbin/inetd /etc/rc.tcpip
start /usr/sbin/inetd "$src_running"
#

In the following we will stick to inetd as an example. However, everything described applies in the same way to other subsystems.

Services such as inetd, syslogd, and others often have options and arguments that can be specified at startup. For example, inetd offers the following options and arguments:

-d   Send debugging information to syslogd

-6   IPv6 support

file  Specification of a configuration file to be used instead of /etc/inetd.conf.

The options and arguments used can be displayed with the chrctcp command and the “-s” option:

# chrctcp -s inetd
#debug_mode:ipv6_mode:config_file
no:no:
#

The sample output shows debugging and IPv6 disabled and no alternate configuration file specified.

With the option “-c” (change) you can change the options and arguments. Attributes can be specified with the “-f” option. As an example, let’s enable debugging and allow IPv6:

# chrctcp -c inetd -f debug=yes -f ipv6=yes
# grep /usr/sbin/inetd /etc/rc.tcpip
start /usr/sbin/inetd "$src_running" " -d  -6 "
#

A look at /etc/rc.tcpip shows that the start of inetd has been supplemented with the options “-d” (debugging) and “-6” (IPv6)! Again, only the start file /etc/rc.tcpip has been changed, an inetd that may already be running remains unaffected by the change:

# ps -ef|grep ine[t]d
    root  5636582  4587924   0 18:34:47      -  0:00 /usr/sbin/inetd
#

As with enabling and disabling subsystems, the “-S” option can also be used when changing:

# chrctcp -S -c inetd -f debug=yes -f ipv6=yes
0513-044 The inetd Subsystem was requested to stop.
0513-059 The inetd Subsystem has been started. Subsystem PID is 5636584.
#

The service is then stopped and restarted immediately. Then of course with the changed options and arguments:

# ps -ef|grep ine[t]d
    root  5636584  4587924   0 18:49:25      -  0:00 /usr/sbin/inetd -d -6
#

The options and arguments used at next boot can be listed with the “-s” option:

# chrctcp -s inetd
#debug_mode:ipv6_mode:config_file
yes:yes:
#

A bit unfortunate is the fact that the names shown in the header (debug_mode, ipv6_mode, config_file) do not quite match the attribute names to be used. The correct supported attribute names in the case of inetd are debug, ipv6 and file.

In one of the next posts we will list the supported attributes for further subsystems and make them available in a table.