Pages

Friday 17 August 2012

How To Secure FTP Server


How To Secure FTP Server

As popular as FTP is FTP communication is not secure, all communication is plain text and can be easily captured. Despite this serious weakness, few do anything to secure it. There are simple ways to correct this with VSFTPD.

SSL/TLS With FTP
FTPS is also known as FTPS Secure or FTP-SSL.  What FTPS does is add the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) to the normal FTP on the same port 21.  It is easy to confuse FTPS on port 21 with SFTP which is actually SSH on port 22.

Add these settings to your /etc/vsftpd.conf file and you will have an anonymous ftp server that will allow anyone to download files from /var/ftp but they cannot upload. It will also protect all of your users as they must ftp into their home accounts using ssl.

anonymous_enable=YES
local_enable=YES
rsa_cert_file=/ etc/vsftpd.pem
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

You do not need to create the self-signed certificate as they are already created by the vsftpd server as you can see listed. Notice that ssl is enabled only for local logins, users who have accounts on the machine. The connection will still be on port 21. Once you have the server set up you will need a client that is ftps compatible.

Create Self-Signed Certificate
You can create a self-signed certificate with this command which will create a certificate for 1 year and the pem file is then saved in the /etc/directory. Note that you will need to change the /etc/vsftpd.conf file to enter the path of this file. You will be asked several questions which will identify your organization.

# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
Generating a 1024 bit RSA private key
……++++++
..++++++
writing new private key to ‘/etc/vsftpd.pem’
—–

You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:Trout Creek
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example LTD
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:example.com
Email Address []:fsmith@example.com

Edit /etc/vsftpd.conf and comment out the rsa certificate and private key files that are there by default and add these lines which show the path to your self-signed certificate.

rsa_cert_file=/etc/vsftpd.pem
rsa_private_key_file=/etc/vsftpd.pem
Restart the ftp server.
service vsftpd restart

Using a FTP Client that is SSL/TLS Compatible

The popular Linux ftp client gFTP will not connect using SSL when you are using self-signed certificates, you would have to purchase a real certificate for your business. Another Linux alternative is to use ftp-ssl. This is a command line version of ftp and actually will replace ftp with this client. It functions that same as ftp. It will attempt to connect using ssl, if it is not enabled it will drop back to regular ftp. The Filezilla version for Linux continued to crash when the connection was made, so it is not a reliable option.
When you connect you will be asked to accept the self-signed certificate, either which you made or the default for vsftp.
Accept the certificate and you have encrypted FTP on port 21.
If you have users connecting with FileZilla for Windows, which is reliable, you will need to make these changes so they can log in with SSL. Note the port is still 21 but the Servertype is now FTP over SSL.

How to trace what’s being done by user’s on your Linux Server

How to trace what’s being done by user’s on your Linux Server 

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as 
~/.bash_history) but you can monitor all user executed commands.

It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time :)

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa. 

The ac command displays statistics about how long users have been logged on. 
The lastcomm command displays information about previous executed commands. 
The accton command turns process accounting on or off. 
The sa command summarizes information about previously executed commmands. 

Install psacct or acct package 

Use up2date command if you are using RHEL ver 4.0 or less 

# up2date psacct 

Use yum command if you are using CentOS/Fedora Linux / RHEL 5: 

# yum install psacct 

Use apt-get command if you are using Ubuntu / Debian Linux: 

$ sudo apt-get install acct OR # apt-get install acct 

Start psacct/acct service 

By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services: 

# chkconfig psacct on 

# /etc/init.d/psacct start

Now let us see how to utilize these utilities to monitor user commands and time. 

Display statistics about users' connect time 

ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time: 

[santosh@Redhat ~]$ ac 

total 53.17 

Display totals for each day rather than just one big total at the end: 

[santosh@Redhat ~]$ ac -d 

Jul 23 total 19.65 

Aug 5 total 12.10 

Aug 6 total 20.67 

Today total 0.80 

Display time totals for each user in addition to the usual everything-lumped-into-one value: 

[santosh@Redhat ~]$ ac -p 

santosh 0.09 

raj 0.97 

root 47.07 

sohan 5.11 

total 53.24 

find out information about previously executed user commands 

Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself. 

Display command executed by santosh user: 

[santosh@Redhat ~]$ lastcomm santosh 

lastcomm santosh pts/2 0.00 secs Tue Aug 7 07:18 

ac santosh pts/2 0.00 secs Tue Aug 7 07:17 

ac santosh pts/2 0.00 secs Tue Aug 7 07:16 

ac santosh pts/2 0.00 secs Tue Aug 7 07:16 

grep santosh pts/2 0.00 secs Tue Aug 7 07:11 

dircolors santosh pts/2 0.00 secs Tue Aug 7 07:11 

bash F santosh pts/2 0.00 secs Tue Aug 7 07:11 

tput santosh pts/2 0.00 secs Tue Aug 7 07:11 

tty santosh pts/2 0.00 secs Tue Aug 7 07:11 

Search the accounting logs by command name: 

[santosh@Redhat ~]$ lastcomm useradd 

useradd S root pts/1 0.10 secs Tue Aug 7 07:11 

useradd F root pts/1 0.00 secs Tue Aug 7 07:11 

useradd F root pts/1 0.00 secs Tue Aug 7 07:11 

useradd F root pts/1 0.00 secs Tue Aug 7 07:11 

useradd F root pts/1 0.00 secs Tue Aug 7 07:11 

Search the accounting logs by terminal name pts/1 

[santosh@Redhat ~]$ lastcomm pts/1 

passwd S root pts/1 0.04 secs Tue Aug 7 07:11 

useradd F root pts/1 0.00 secs Tue Aug 7 07:11 

psacct root pts/1 0.01 secs Tue Aug 7 07:11 

touch root pts/1 0.00 secs Tue Aug 7 07:11 

accton S root pts/1 0.00 secs Tue Aug 7 07:11 

Summarizes accounting information 

Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct. 

[santosh@Redhat ~]$ sa 

4 0.36re 0.12cp 31156k up2date 

216 1.82re 0.02cp 647k 

19 1.64re 0.02cp 642k ***other* 

2 0.01re 0.00cp 4123k rhsmd 

48 0.01re 0.00cp 649k find 

33 0.01re 0.00cp 504k tmpwatch 

2 0.01re 0.00cp 662k logrotate 

54 0.14re 0.00cp 687k awk 

14 0.00re 0.00cp 498k basename 

13 0.00re 0.00cp 495k logger 

12 0.00re 0.00cp 743k makewhatis* 

3 0.00re 0.00cp 505k tr 

3 0.00re 0.00cp 496k renice 

3 0.00re 0.00cp 507k rm 

2 0.00re 0.00cp 596k grep 

2 0.00re 0.00cp 742k prelink* 

2 0.00re 0.00cp 742k makewhatis.cron* 

2 0.00re 0.00cp 551k sed 

2 0.00re 0.00cp 495k ionice 

Take example of first line: 

4 0.36re 0.12cp 31156k up2date 

Where, 

0.36re "real time" in wall clock minutes 
0.12cp sum of system and user time in cpu minutes 
31156k cpu-time averaged core usage, in 1k units 
up2date command name 

Display output per-user: 

# sa -u 

root 0.00 cpu 595k mem accton 

root 0.00 cpu 12488k mem initlog 

root 0.00 cpu 12488k mem initlog 

root 0.00 cpu 12482k mem touch 

root 0.00 cpu 13226k mem psacct 

root 0.00 cpu 595k mem consoletype 

root 0.00 cpu 13192k mem psacct * 

root 0.00 cpu 13226k mem psacct 

root 0.00 cpu 12492k mem chkconfig 

postfix 0.02 cpu 10696k mem smtpd 

santosh 0.00 cpu 19328k mem userhelper 

santosh 0.00 cpu 13018k mem id 

santosh 0.00 cpu 13460k mem bash * 

lighttpd 0.00 cpu 48240k mem php 

Display the number of processes and number of CPU minutes on a per-user basis 

[root@Redhat ~]# sa –m 

root 566 3.44re 0.22cp 991k 

postfix 2 0.21re 0.00cp 3138k

Thursday 16 August 2012

Virtual I/O Server - Some Commands

Virtual I/O Server - Some Commands

Initialize the LPAR Configuration :

# mkgencfg -o init

[OS] Software Management :

To display VIO Server level:

# ioslevel

To update the IOS software:

# updateios –dev /update -

To installs a new filesets (mainly used for TL updates):

# updateios –dev /cd0 -install -accept

To commit all applied :

# updateios –commit

To rejects all uncommitted updates :

# updateios –reject

To clean all incomplete pieces of the previous installation :

# updateios –clean

To remove a fileset :

# updateios –remove fileset_name

To take the OS backup in a CD ROM :

# backupios –cd /dev/cd1 -cdformat

To take the OS backup in a DVD-RAM :

# backupios –cd /dev/cd1 -udf

To take the OS backup in a tape drive :

# backupios –tape /dev/rmt0

Just verifies the backup available in a tape :

# backupios –tape /dev/rmt0 -verify

Generates backup to a file. No user VGs are -nosvg back’d up :

# backupios –file /opt/file1

To display the underlying AIX OS version :

# oem_platform_level

To open a non-restricted root shell :

# oem_setup_env

This shell is used mainly for the installation of vendor software such as device drivers.

Remote Management :

To enable remote_management using NIM master :

# remote_management nim1

To disable remote management :

# remote_management –disable

License Management:

To display the current license :

# license –view

To accept the license :

# license –accept

To view if the license has been accepted :

# license

Software Management:

To list all the installed software :

# lssw

To list all the installed software and their history

# lssw –hist

Management of Virtual Terminals:

To open a virtual terminal for partition with id 2 :

# mkvt –id

To close a virtual terminal for a partition with id 2 :

# rmvt –id 2

Device Management:

To change the attribute of a device permanently.

# chdev -dev scsi0 -attr id=6 -perm

Sometimes it reboots the system if perm is used

To disable the path between hdisk1 and scsi0 :

# chpath -dev hdisk1 -pdev scsi0 -op disable

To configures the devices in the VIO server :

# cfgdev

To configures the devices attached to scsi0 adapter :

# cfgdev –dev

To unconfigure the cd-rom device :

# rmdev –dev cd0

To unconfigure scsi adapter and its child devices :

# rmdev –recursive –dev scsi1

To unconfigures the children of pci1 but not the PCI bus pci1 :

# rmdev –pdev pci1

Management of Virtual/Shared Devices:

To create a virtual target device that maps lv20 as a virtual disk for a client partition hosted by the vhost0 virtual server adapter :

# mkvdev -vdev lv20 -vadapter vhost0

Same as above except here hdisk is used instead of a logical volume :

# mkvdev -vdev hdisk6 -vadapter vhost2

To create a SEA that maps the physical Ethernet adapter ent4 as a virtual adapter for the client
partitions served by the virtual Ethernet adapters ent6 and ent7, using ent6 as the default adapter and 8 as the default id :

# mkvdev -sea ent4 -vadapter ent6,ent7 -default ent6 -defaultid 8

To remove a virtual target device vtscsi9 along with its backing lv :

# rmvdev –vdev vtscsi9 –

To remove all virtual target device associated with backing device lv001 :

# rmvdev –vdev lv001

To remove a specific virtual target device :

# rmvdev –vtd vtscsi10

List Device Mapping:

To list all virtual target devices and backing devices mapped to virtual server adapter vhost2 :

# lsmap -vadapter vhost2

To list SEA and physical device mapped to virtual Ethernet Adapter ent4 :

# lsmap -vadapter ent4 –net

To list all virtual target devices and backing devices where backing devices are of type LV :

# lsmap -all -type lv

To list all network mapping :

# lsmap –all –net

How to list Devices :

To display all the devices :

# lsdev

To display all the virtual devices :

# lsdev –virtual

To display all the virtual adapters :

# lsdev –type adapter –virtual

To display all the slots :

# lsdev –slot s

To display all the adapters :

# lsdev –type adapter

Few other device types: disk, lv, optical, tape, tty

To list all physical Ethernet adapters and Etherchannel available for creating a SEA :

# lsdev –type ent4sea

To list all virtual Ethernet adapters available for creating a SEA :

# lsdev –type ven4sea

To list all adapters over which ip address can be configured :

# lsdev –type ent4ip

To display parent device of a device :

# lsdev –dev hdisk0 –

To list disks names and physical location alone :

# lsdev -type disk -field name physloc

Logical Volume Manager :

Volume Group

To create a vg on hdisk1 :

# mkvg -vg newvg hdisk1

To drain I/O's for a vg and suspends future I/O's :

# chvg -suspend vg03

To resume normal I/O operations for a vg :

# chvg -resume vg03

Unlock a VG if left in a locked state by abnormal termination of another lvm operation :

# chvg -unlock vg03

To add a physical volume to a volume group :

# extendvg vg3 hdisk3

To remove a PV from a VG :

# reducevg vg01 hdisk1

To remove a PV and all residing LVs from a VG with no confirmation :

# reducevg –rmlv –f vg01

To activate a vg :

# activatevg vg03

To deactivate a vg :

# deactivatevg vg03

To mirror the VIO Server’s rootvg to hdisk4 and reboots VIO Server :

# mirrorios –force hdisk4

To mirror the VIO Server’s rootvg to hdisk4 but don’t reboot the server :

# mirrorios –defer hdisk4

To remove the rootvg mirror from hdisk4 :

# unmirrorios hdisk4

To import a VG from hdisk07 :

# importvg –vg vg001 hdisk07

To export a VG :

# exportvg vg3

Note: Volume Group containing a paging space can’t be exported

To sync a VG :

# syncvg –vg vg01

To sync a LV :

# syncvg –lv lv001

To sync a PV :

# syncvg –pv hdisk4 hdisk5

To redefine a VG based on the VGDA from hdisk04 :

# redefvg –dev hdisk04

Logical Volume :

To create a logical volume of size 1MB in vg01 :

# mklv –lv lv001 vg01 1M hdisk1

To create a logical volume with mirror in place in vg01 of size 1GB :

# mklv –mirror vg01 1G

To extend an LV by 3MB :

# extendlv lv01 3M

To extend an LV by 1GB with space taken from hdisk5 :

# extendlv lv01 1G hdisk5

To remove a logical volume :

# rmlv lv05

To display the properties of a logical volume :

# lslv lv03

To display info about LV by Physical volume :

# lslv –pv lv03

To display LVs that can be used as backing devices :

# lslv –free

To make a copy for lv01 in hdisk03 :

# mklvcopy lv01 hdisk03

To remove lv01’s copy from hdisk03 :

# rmlvcopy lv01 hdisk03

To copy the contents of lv01 to lv02 :

# cplv lv01 lv02

To copy the contents of lv01 to a new lv in vg01 :

# cplv –vg vg01 lv01

To change the name of oldlv to newlv :

# chlv –lv newlv oldlv

Physical Volume

To display all physical volumes in the system :

# lspv

To display the status and characteristics of hdisk03 :

# lspv hdisk03

To list all the available PVs used as virtual SCSI backing devices :

# lspv –avail

To list PVs that can be used as virtual SCSI backing devices and are not currently a backing device :

# lspv –free

To move physical partitions from hdisk1 to hdisk2 :

# migratepv hdisk1 hdisk2

To move physical partitions in lv01 from hdisk1 to hdisk2 :

# migratepv –lv lv01 hdisk1 hdisk2

Storage Pool Management:

To create storage pool “client_data” using hdisk3 hdisk4 hdisk3 and hdisk4 :

# mksp -f client_data

To set client_data storage pool as default :

# chsp –default client_data

To list all storage pools :

# lssp

To list the default storage pool :

# lssp –default

To list the backing device in rootvg storage pool :

# lssp –bd –sp rootvg

To attach a storage from a storage pool to a Virtual SCSI adapter:

# mkbdsp -bd lv001 -vadapter vthost2 -tn vtscsi9

To removes storage from a Virtual SCSI adapter, and removes the backing device :

# rmbdsp –bd lv001

To remove storage from a Virtual SCSI adapter, And makes sure backing device is not deleted :

# rmbdsp –bd lv001 -savebd

To removes storage from a Virtual SCSI adapter, and removes the backing device :

# rmbdsp –vtd vtscsi9

To removes storage from a Virtual SCSI adapter. and makes sure backing device is not deleted :

# rmbdsp –vtd vtscsi8 -savebd

Network Configuration :

TCP/IP Configation:

To configure tcpip on a network interface :

# mktcpip -hostname sys01vio2 -inetaddr 9.47.90.113 -interface en2 -netmask 255.255.255.0 -gateway 9.47.90.1 -nsrvdomain yahoo.com -start

To display the stored tcp/ip configuration in the system :

# lstcpip –stored

To display ethernet adapters on the system :

# lstcpip –adapters

To display the system hostname :

# lstcpip –hostname

To display DNS name servers in search order and domain name :

# lstcpip –namesrv

To display the routing table :

# lstcpip –routtable

To display routing table in numeric output instead of hostname :

# lsctpip –num –routtable

To display all the open inet sockets :

# lstcpip –sockets –family inet

To display the status of all configured interfaces :

# lstcpip –state

To remove all TCP/IP configuration :

# rmtcpip –all

To unconfigure tcpip in en0:

# rmtcpip –interface en0

To cleanup static routing table :

# rmtcpip –f -routing

To remove IP information from en0 after reboot :

# rmtcpip –f –interface en0 -nextboot

To remove DNS information and clears the hosts file :

# rmcpip –namesrv

Managing IP address-to-host name Mapping Entries:

To add IP address-to-host name mapping entry :

# hostmap -addr 192.100.1.7 -host alpha

To list all IP address-to-host name mapping entries :

# hostmap –ls

To delete the IP address-to-host name mapping entry :

# hostmap-rm 192.100.1.7

Managing Network Services:

To enable all the network services :

# startnetsvc ALL

To enable the telnet daemon :

# startnetsvc telnet

To enable the ftp daemon :

# startnetsvc ftp

To enable the ssh daemon :

# startnetsvc ssh

To enable the ldap daemon :

# startnetsvc ldap

To enable the cimserver daemon :

# startnetsvc cimserver

To enable the xntpd daemon :

# startnetsvc xntpd

To send CLI tracing details to the system log :

# startnetsvc tracelog

To send system error to the system log :

# startnetsvc errorlog

To disable all the network services :

# stopnetsvc ALL

To disable the telnet daemon :

# stopnetsvc telnet

To disable the ftp daemon :

# stopnetsvc ftp

To disable the ssh daemon :

# stopnetsvc ssh

To disable the ldap daemon :

# stopnetsvc ldap

To disable the cimserver daemon :

# stopnetsvc cimserver

To disable the xntpd daemon :

stopnetsvc xntpd

To stop sending CLI tracing details to system log :

# stopnetsvc tracelog

To stop sending system error log to the system log :

# stopnetsvc errorlog -

To display the status of ftp network service :

# lsnetsvc ftp

Managing DNS, Domain and Search Order Entries:

To add a domain entry :

# cfgnamesrv -add -dname abc.aus.century.com

To add a name server entry :

# cfgnamesrv –add -ipaddr 192.9.201.1

To display all the DNS entries :

# cfgnamesrv -ls

Network Tuning Parameters:

To display the maximum size of the mbuf pool :

# optimizenet –get thewall

To set a machine as internet work router over TCP/IP networks :

# optimizenet –set ipforwarding=1

To display information on udp_recvspace :

# optimizenet –h udp_recvspace

Network Monitoring:

To display all the statistics, including the device- specific statistics :

# entstat ent0

To reset all the statistics back to their initial values :

# entstat –reset ent0

To display the route to a particular host :

# traceroute nis.nsf.net

System Monitoring :

To display the summary of current system activity :

# sysstat

To display the system statistics :

# topas

System Management Commands:

To halt the operating system :

# shutdown

To halt the operating system forcibly :

# shutdown –force

To reboot the vio server :

# shutdown –restart

To invalidate the boot list for service mode :

# bootlist -mode service –rm

To display the boot list for service mode :

# bootlist -mode service –ls

To set the boot list for normal mode :

# bootlist –more normal hdisk0

To display the complete detailed error report :

# errlog –ls

To remove all the error log entries :

# errlog –rm 0

To remove the error log entries older than 5 days :

# errlog –rm 5

To change the system date and time :

# chdate -day 12 -month 10 -year 2004 -hour 16 -minute 30

To change the language for the entire system to French Canadian :

# chlang -lang fr_CA

To display available languages :

# chlang –ls

To perform hardware problem determination and maintenance :

# diagmenu

To generate report on microcode levels of all the devices :

# invscout –report

To display the vpd survey of the partition :

# invscout –vpd

To append the current MOTD [Message Of The Day] :

# motd –append “Message”

To overwrite MOTD :

# motd –overwrite -file filename

To do the initial configuration of VIO Server :

# cfgassist

It is like configuration assitant in AIX.

To do filesystem scan :

# fsck /dev/lv01

To display exported (nfs) directories on a remote server :

# showmount hostname

To start system dump on the primary device :

# startsysdump

To display continuous disk report on disk1 at 2sec interval :

# viostat -disk disk1 2

To display adapter throughput reports :

# viostat –adapter

To display system and adapter throughput reports :

# viostat –sys –adapter

To gather system info and to store it in the floppy disk :

# snap -general -dev /dev/rfd0

To display microcode levels of all devices :

# lsfware –all

Managing Agents:

To start an agent : # startsvc agent_name

To stop an agent: # stopsvc agent_name

To display an agent's configuration information :

# lssvc agent_name

To display all the available agents :

# lssvc

To display the attributes associated with ITSM_base agent :

# cfgsvc –ls ITM_base

To display the ITM_base agent ssh public key :

# cfgsvc -key ITM_base

User Management:

To create a user :

# mkuser

To change an attribute of a user :

# chuser

To display the properties of a user :

# lsuser

To remove a user from the system :

# rmuser

To set/reset password for a user :

# passwd

Security Commands:

To display all failed logins :

# lsfailedlogin

To display the contents of global command log :

# lsgcl

To displays high system settings :

# viosecure -level high

To apply all of the high system settings to the system :

# viosecure -level high –apply

To displays the current system settings :

# viosecure –view

To allow IP activity on the ftp-data, ftp, ssh, www, https, rmc, and cimon ports, and to deny other IP activity :

# viosecure –firewall on

To enable IP activity on all ports :

# viosecure –firewall off

To display the list of allowed ports :

# viosecure -firewall view

Wednesday 15 August 2012

Checklist for DLPAR setup (RSCT)

 Checklist for DLPAR setup (RSCT)

It is strongly recommended that the Hardware Management Console (HMC) be upgraded to Release 3, Level 2.2.x or above to minimize setup time for dynamic logical partitioning (DLPAR) operations. Run hsc version to find out the HMC's version number. The LPAR AIX should also be upgraded to 5.1F or 5.20 or later.

Table 1. Requirements

Verify> Command -> Result -> Action
1HMC levelClick Help then About on the HMC main window. This should be release 3 version 2.4 or higher. I encourage you to get the latest software, at HMC Corrective Service.
2AIX filesets required for DLPAR (on each LPAR/SMP)AIX level should 5.2 or later. These filesets should be on partitions:
> lslpp -l rsct.core*
> lslpp -l csm.client
The missing fileset can be installed from the AIX installation CD.

Use the tables in this section as a checklist for your DLPAR setup.


Table 2. Verify whether the required software is functional

VerifyVerify Result and Action
1HMC daemons are running> su - root
> lssrc -a
SubsystemGroupPIDStatus
ctrmcrsct822active
IBM.DMSRMrsct_rm906active
IBM.LparCmdRMrsct_rm901active
If these daemons are active go to step 2. If any of the daemons show as inoperative, start it manually by > startsrc -s <subsystem name>. For example, startsrc -s ctrmc
If a daemon can't be started, please contact IBM service personnel.
2AIX daemons are running (on each LPAR/SMP with AIX 5.20)> su - root
> lssrc -a | grep rsct
SubsystemGroupPIDStatus
ctrmcrsct21044active
IBM.CSMAgentRMrsct_rm 21045active
IBM.ServiceRMrsct_rm11836active
IBM.DRMrsct_rm20011active
IBM.HostRMrsct_rm 20012active
IBM.DRM and IBM.HostRM are "lazy started" resource managers; they're only started when they get used. If IBM.DRM and IBM.HostRM are inoperative, there's a good chance you're having network/hostname setup problem between HMC and the LPAR. To correct this, see Table 3. Verify Your RMC/DLPAR setup, below.
If AIX is 51G, 52B or above, ctcas is also a lazy started RM, meaning it can stay inoperative until they get used, so it's not necessary to start it if your LPAR is at these levels or later.
If any of the daemons show as inoperative, use > startsrc -s <subsystem name>. For example, startsrc -s IBM.CSMAgentRM.

ctrmc
Is a Resource Monitoring and Control (RMC) subsystem.
ctcas
Is for security verification. It is a lazy started resource manager and does not have to run in order for DLPAR to work.
IBM.DMSRM
Is for tracking status of partitions.
IBM.LparCmdRM
Is for DLPAR operation on HMC.
IBM.CSMAgentRM
Is for handshaking between the LPAR and HMC.
IBM.DRM
Is for executing the DLPAR command on the LPAR.
IBM.HostRM
Is for obtaining OS information.

Table 3. Verify your RMC/DLPAR network/hostname setup

Verify>Result and Actions
1HMC: List partitions authenticated by RMC> /opt/csm/bin/lsnodes -a Statuspartition01 1
partition02 0
partition03 1
Where 1 means LPAR is activated and authenticated for DLPAR; 0 means otherwise.
If the LPAR is activated and still shows Active<0>, you could have either network or hostname setup problems. If you have just rebooted the HMC, wait for a few minutes. If nothing changes after that, check your hostname/network setup in Setting up HMC/partitions hostname and network.
2HMC: List partitions recognized by DLPAR> lspartition -dlpar <#0> Partition:<001, partition01.company.com, 9.3.206.300> Active:<1>, OS:<AIX, 5.2>, DCaps:<0xf>, CmdCaps:<0x1, 0x0>
<#1> Partition:<002, partition02.company.com, 9.3.206.300> Active:<0>, OS:<AIX, 5.2>, DCaps:<0xf>, CmdCaps:<0x1, 0x0>
<#2> Partition:<003, partition03.company.com, 9.3.206.300> Active:<0>, OS:<, 5.1F>, DCaps:<;0x0>, CmdCaps:<0x0, 0x0>
If all active AIX 5.2 partitions are listed as Active<1>, ..., DCaps:<0xf> your system has been set up properly for DLPAR, and you can skip the checklist now. (In this example, LPAR 002 is being shut down, and LPAR 003 is not activated because it is at AIX 5.1.)
If you're missing some active partitions or some partitions are reported as Active<0>, your system probably still has a network/hostname set up problem. See Setting up the HMC/partitions hostname and network. (If your LPAR is Active<1> but the GUI is still not DLPAR capable, do a rebuild to get around this problem. See the Appendixes in this article for more information.)
If you still can't get partitions recognized by DLPAR after verifying the checklist, contact IBM service personnel.
3AIX: Ensure /var directory is not 100% full (on each LPAR/SMP)> dfIf /var is 100% full, use smitty to expand it. If there is no more space available, visit subdirectories to remove unnecessary files (using trace.*, core, and so on). After expanding the /var directory, execute the following commands to fix possibly corrupted files:
> rmrsrc -s "Hostname!='t' " IBM.ManagementServer
> /usr/sbin/rsct/bin/rmcctrl -z
> rm /var/ct/cfg/ct_has.thl
> rm /var/ct/cfg/ctrmc.acls
> /usr/sbin/rsct/bin/rmcctrl -A
4AIX: Verify if you have network problem (from each LPAR/SMP)> ping <hmc_hostname>If ping fails, check your hostname/network setup. See Setting up HMC/partitions hostname and network.
5AIX: Verify LPAR(s) to HMC authentication (from each LPAR/SMP)> CT_CONTACT=<HMC name> lsrsrc IBM.ManagedNodeYou should get a list of resource classes on HMC.
If there is any error, you probably have network/hostname problem, please refer to section Setting up HMC /Partition(s) Hostname and Network.
6HMC: Verify network setup by telnet-ing into each LPAR(s) from the HMC> telnet <hostname>
> Ctrl c or exit to end If you can't telnet, you have a network problem. See Setting up HMC/partitions hostname and network.
7HMC: Verify HMC to LPAR(s) authentication> CT_CONTACT =<lpar_hostname> lsrsrc IBM.ManagementServerIf nothing is displayed or if there are any errors, you probably have a hostname problem. See Setting up HMC/partitions hostname and network.

For older releases of AIX (pre 5.1F and 2.0) or HMC (release 3, version 1.x or earlier), the hostname format, long or short, also requires some setup. Please refer to the Appendixes for further set up instructions if your HMC or partitions are at these levels.
Most DLPAR problems we've encountered from the test labs have been improper network. This section tries to reduce these network setup and configuration problems.
First, find out the IP address and hostname format of the HMC and its LPAR(s), which can be determined by using the command hostname on the HMC and AIX system respectively, then use host return_from_hostname to verify it. For example,
> hostname
Partition.company.com
> host Partition.company.com
Partition.company.com has address 9.3.14.199

If DNS is off or if the HMC and partitions are on different subnets
The HMC and LPAR(s) /etc/hosts files need to be modified to contain the correct entries for the HMC and all partitions' hostnames. Put the host name in /etc/hosts for HMC and all partitions (names are case sensitive).
Make sure that on the LPAR(s) (just LPAR), the file /etc/netsvc.conf exists with one line: hosts=local,bind.
Refresh RMC by either rebooting or
  > /usr/sbin/rsct/bin/rmcctrl -z
  > /usr/sbin/rsct/bin/rmcctrl -A

Customers should add all the LPAR's hostnames to the /etc/hosts file on the HMC. The HMC hostname must be added to each LPAR /etc/hosts file. Because the customer does not have DNS data, we do not have a domain name, only a short hostname, so the DNS enabled box will not be enabled.

This appendix offers a variety of tips about accessing Linux and a variety of other things.
To access Linux on the HMC
To access the xterm on the HMC (Command Line Entry) you will need a PE passcode, which can be obtained from IBM support. To access the Linux command line:
  1. Log on HMC as hscpe user (user created by customer)
  2. Select Problem Determination (In "Service Applications" folder at Release 2.0 and above)
  3. Select Microcode Maintenance
  4. Enter serial number of the HMC and PE password obtained from support
  5. Select Launch xterm shell
Alternate way to open an Xterm on the HMC
If you have ssh set up, from the upper left corner click on Console then select Open Terminal Session, and enter your HMC hostname.
Use LAN Surveillance to check your network problem
Since HMC version 3.1, the LAN Surveillance feature has been added into Service Focal Point (SFP) to alert users if an LPAR is having a network/hostname setup/RMC authentication problem by reporting a SURVALNC Serviceable Event to the HMC. (Users can have e-mail set up for notification of this type of problem.) You can use "List Serviceable Events" to check for these errors; if there are none, you should not have problems with DLPAR/SFP. If there are errors, please go through the checklist to diagnose and correct the problem.
A quick way to verify if the system Network/Hostname is set up properly
From the HMC console, select "Server Management" then expand it to the LPAR level. Left click on an AIX 520 LPAR to get the pop-up menu, then select one of the items under "Dynamic Logical Partition" (for example, Memory). If you get the error messages
HMCERRV3DLPAR016: The selected logical partition is not enabled for 
dynamic logical partitioning operations

then there's a good chance the system is having a network/hostname setup problem. Please go through the checklist to diagnose and correct the problem. It's best to perform this procedure right after the HMC gets rebooted.
Check serial cable connection between HMC and CEC
On HMC:
> query_cecs  -  returns cecname
> get_cec_mode -m cecname  -  verifies connection to service processor

Checking for HMC version from ssh
Use the hsc version command.

This appendix provides answers to some common questions about RMC/DLPAR from the field.
Is there a relation between DLPAR/LparCmdRM and SFP/ServiceRM?
No, there is no relation between DLPAR and SFP. They are two independent daemons serving two different components. But, they're using the same RMC framework and thus subjected to the same authentication process, as well as the same network/hostname setup.
DLPAR is only supported on AIX 5.2; AIX 5.1x partitions will be not be initialized for DLPAR. It is correct to assume that if SFP works, DLPAR would work, but if DLPAR works, SFP might not be fully functional.
Authentication and authorization process between HMC and partitions
  1. On HMC: DMSRM pushes down the secret key and HMC hostname to NVRAM when it detects a new CEC. This process is repeated every 5 minutes. Each time an HMC is rebooted or DMSRM is restarted, a new key is used.
  2. On AIX: CSMAgentRM, through RTAS, reads the key and HMC hostname out from NVRAM. It will then authenticate the HMC. This process is repeated every 5 minutes on LPAR to detect new HMC(s) and key changes. An HMC with a new key is treated as a new HMC and will go though the authentication and authorization processes again.
  3. On AIX: After authenticating the HMC, CSMAgentRM will contact the DMSRM on HMC to create a ManagedNode resource in order to identify itself as an LPAR of this HMC. (At the creation time, the ManagedNode's Status attribute will be set to 127.) CSMAgentRM then creates a compatible ManagementServer resource on AIX.
  4. On AIX: After the creation of the ManagedNode and ManagementServer resources on HMC and AIX respectively, CSMAgentRM grants HMC permission to access necessary resource classes on the LPAR. After the granting HMC permission, CSMAgentRM will change its ManagedNode, on HMC, Status to 1. Without proper permission on AIX, the HMC would be able to establish a session with the LPAR but will not be able to query for OS information, DLPAR capabilities, or execute DLPAR commands afterward.
  5. On HMC: After the ManagedNode Status changed to 1, LparCmdRM querries for OS information, DLPAR capabilities, notifies CIMOM about the DLPAR capabilities of the LPAR, then waits for a DLPAR command from users. If the partitions support DLPAR capabilities, lsparittion -dlpar will list partitions with Active:<1> and DCaps:<0xf>.
What does the output of lspartition -dlpar mean?
Intended as a development tool, the output of lspartition -dlpar has following meaning:
<#0> Partition:<002, lpar.company.com, 9.8.206.215>
        Active:<1>, OS:<AIX, 5.2>, DCaps:<0xf>, CmdCaps:<0x1, 0x0>

Partition
<LParID, lpar_hostname, lpar IPaddress>
Active
<#>: - 0 means no session to lpar; 1 means otherwise
OS
<OSType, OSLevel>: Should be <AIX, 5.2> if it's Active<1>. If Active<1> and OS information is empty, this means the IBM.HostRM could have a problem on AIX. (I have not seen this happens yet!)
DCaps
<#>: - Value 0x0 means the LPAR does not support DLPAR operation. Value 0xf means all DLPAR operations are supported. Usually, this value goes together with the Active<1> above. The session must be established first before the information can be queried from the LPAR.
CmdCaps
<0x1, 0x0>: - No significant meaning for Release 3, version 1.x.x. In Release 3, version 2.2.x or above, the 0x1 means remote shutdown of the AIX LPAR can be done from the HMC.
Do IBM.DRM and IBM.HostRM need to be "Active" on partition for DLPAR to work?
No. IBM.DRM and IBM.HostRM are lazy start resource managers and could be in inoperative state if they're not used. They will be started as soon as the first IBM.DRM request is made from HMC. If lssrc -a on an LPAR shows IBM.DRM as inoperative, it is likely that HMC has never made a connection with the LPAR since it was rebooted or upgraded to a new level of AIX. In this case, on HMC, the command lspartition -dlpar would show the LPAR as Active<0>.
To diagnose and fix this type of problem, see "Table 3. Verify Your RMC/DLPAR Network/Hostname setup" in Checklist for DLPAR setup.
Does IBM.CSMAgentRM need to be active on HMC?
No. IBM.CSMAgentRM is not required for DLPAR/SFP. The CSMAgentRM .cdef file is shipped on HMC to support Distributed RMC, and therefore it will be listed as "inoperative."

Note: This section applies only to earlier versions of HMC and is here for reference only.
Most DLPAR problems we've encountered from the test labs have been improper network and hostname(s) setup. This section triess to reduce these network setup and configuration problems. For older releases of AIX (pre 5.1F and 2.0) or HMC (release 3, version 1.x or earlier), the hostname format, long or short, also requires some setup.
First, find out the hostname format that the HMC and its LPAR(s) are using -- short or long name. Your setup depends largely on the format of the hostname. The hostname format can be determined by typing the command hostname on the HMC and AIX system respectively, then use host return_from_hostname to verify it. For example:
> hostname
Partition.company.com
> host Partition.company.com
Partition.company.com has address 9.3.14.199

If DNS is On
This section is mostly applicable if the LPAR AIX level is at 5.1F/5.20 or ealier ,or HMC is at Release 3, version 1.x or ealier.
If the HMC and the partition(s) both use a long name
  • No hostname entry is needed in /etc/hosts on either AIX or the HMC.
  • If /etc/hosts has the hostname entry, the longname must be before the short name for HMC and all partitions (host names are case sensitive). For example,
    10.10.10.11    mymachine.mycompany.com      mymachine
  • After you update /etc/host file, refresh RMC by either rebooting or
      > /usr/sbin/rsct/bin/rmcctrl -z
      > /usr/sbin/rsct/bin/rmcctrl -A
Other hostname formats
If the hostname command returns the short name, put the short name before the long name in /etc/hosts on both HMC and the partitions. If the hostname command returns the long name, put the long name before the short name in the /etc/hosts file on HMC and all partitions (names are case sensitive). For example,
10.10.10.11    mymachine      mymachine.mycompany.com

Make sure that on the LPAR(s) (just lpar(s)), the file /etc/netsvc.conf exists with one line: hosts=local,bind
Refresh RMC by either rebooting or by commands
 > /usr/sbin/rsct/bin/rmcctrl -z
 > /usr/sbin/rsct/bin/rmcctrl -A

If DNS is Off
This section is mostly applicable if the LPAR AIX level is at 5.1F/5.20 or ealier, or HMC is at Release 3, version 1.x or ealier.
  • The HMC and LPAR(s) /etc/hosts file need to be modified to contain the correct entries for the HMC and all partitions' hostnames. If the hostname command returns the short name, put the short name before the long name in /etc/hosts for HMC and all partitions (names are case sensitive). If the hostname command returns the long name, put the long name before the short name in /etc/hosts for HMC and all partitions (names are case sensitive).
  • Make sure that on the LPAR(s) (just LPAR), the file /etc/netsvc.conf exists with one line: hosts=local,bind.
  • Refresh RMC by either rebooting or
      > /usr/sbin/rsct/bin/rmcctrl -z
      > /usr/sbin/rsct/bin/rmcctrl -A
Customers should add all the LPAR's hostnames to the /etc/hosts file on the HMC. The HMC hostname must be added to each LPAR /etc/hosts file. Because the customer does not have DNS data, we do not have a domain name, only a short hostname, therefore the DNS enabled box will not be enabled. 

Backup and Restoration IBM AIX

Backup and Restoration

System [rootvg] Backup :

Few Points:
a. rootvg backup can be taken thru mksysb command. Most people refer it as mksysb backup.
b. This type of backup on a tape is bootable. Hence its been widely used to restore the system incase of system crash.
c. Mksysb backup contains 4 images
i. BOS Boot Image - Kernel Device Drivers
ii. mkinsttape image - ./image.data, ./tapeblksz, ./bosinst.data and few other commands
iii. dummy .toc - Nothing but a dummy table of contents file
iv. rootvg data - This is where the actual data resides

Files used by mksysb:

/image.data :
Contains information about the image installed during the BOS installation process. This includes the sizes, names, mount points of LVs and file systems in the rootvg [Actually nothing but the rootvg structure]. It can be created using mkszfile command.

/var/adm/ras/bosinst.data :
It allows you to customize the OS installtion. Modified mostly to use the mksysb image to install new servers.

Few Commands :

To generate just /image.data :
# mkszfile

To create /image.data and generate a system backup on the tape :
# mksysb -i /dev/rmt0

To generate a system backup on the tape but to exclude /home directory and to create /image.data :
# echo /home > /etc/exclude.rootvg
# mksysb -ei /dev/rmt0

To list the contents of a mksysb image :
# lsmksysb -f /backup/system1.mksysb

To restore a specific file from mskysb image :
a. Rewind the tape :
# tctl -f /dev/rmt0 rewind
b. Move the tape forward to the end of 3rd image :
# tctl -f /dev/rmt0.1 fsf 3
c. Restore the specific file:
# restore -xqvf /dev/rmt0.1 /home/user1/file1

Non-rootvg Backup :

Few Points:
a. Volume groups other than rootvg can be backup'ed using savevg command.
b. You can exclude certain files by creating /etc/exclude.vgname.
c. VG data files are kept under, /tmp/vgdata/vg-name/vg-name.data.

Few Commands :

To backup a datavg to the tape drive :
# savevg -if /dev/rmt0 datavg

To backup a datavg to the tape drive and exclude certain files :
# savevg -ief /dev/rmt0 datavg

To restore the datavg image from the tape onto the disks specified in /tmp/vgdata/datavg/datavg.data file :
# restvg -f /dev/rmt0

To create the data file (/tmp/vgdata/oravg/oravg.data) for oravg :
# mkvgdata oravg

File System Backup :
File systems can be backup'ed using many ways.Few commands used for this are backup, cpio, dsm [TSM Client].

To back up all the files and subdirectories in the /home directory using full path names :
# find /home -print l backup -if /dev/rmt0

To back up all the files and subdirectories in the /home directory using relative path names :
# cd /home
# find . -print l backup -if /dev/rmt0

I have used "l" for the pipe symbol as it was not displaying properly in blog.

To backup a list of files:
# cat bakfile
/home/raja/file1.txt
/home/raja/file2.txt
/home/raja/file3.txt

# backup -iqvf /dev/rmt0

I-node Base Backup:


Here is the syntax for the backup command in case of inode based backup

Syntax:
# backup [-u] [-level] [-f device] filesystem

u -> Updates the /etc/dumpdates file
-level -> Values available from 0 to 9 where 0 is the full backup and 1-9 for backup the changes since the previous level.

To back up the /home file system by i-node :
# backup -0 -uf /dev/rmt0 /home

i-node based backup has the advantage of making incremental and differential backups. Here we use the numeric flags (0 to 9) to make the difference in the way it back ups. It actually updates the date/time/mode of last backup in /etc/dumpdates when you use the 'u' flag.

Here are the different numeric flags used and their meanings,

0 - Full Backup
1 - Back ups the files created/modified from the date/time of 0th backup
2 - Back ups the files created/modified from the date/time of 1th backup
3 - Back ups the files created/modified from the date/time of 2th backup
4 - Back ups the files created/modified from the date/time of 3th backup
5 - Back ups the files created/modified from the date/time of 4th backup
6 - Back ups the files created/modified from the date/time of 5th backup
7- Back ups the files created/modified from the date/time of 6th backup
8 - Back ups the files created/modified from the date/time of 7th backup
9 - Back ups the files created/modified from the date/time of 8th backup

Few Examples for i-node based backup :


Scenario 1 - Full and Incremental Backup :


If you want to have full backup of /home on sunday night and incremental backup on other nights, then follow the below procedure.

Sunday Night - Full Backup :
# backup -0 -uf /dev/rmt0 /home

Monday Night - Incremental Backup :
# backup -1 -uf /dev/rmt0 /home

Tuesday Night - Incremental Backup
# backup -2 -uf /dev/rmt0 /home

Wednesday Night - Incremental Backup :
# backup -3 -uf /dev/rmt0 /home

Thursday Night - Incremental Backup :
# backup -4 -uf /dev/rmt0 /home

Friday Night - Incremental Backup
# backup -5 -uf /dev/rmt0 /home

Saturday Night - Incremental Backup :
# backup -6 -uf /dev/rmt0 /home

Advantages of Incremental Backup:
a. It takes lesser time to restore the specific data.For example, if you lose a file that was created on thursday morning, then you need only the wednesday night tape to restore the specific file.
b. This method consumes less tapes for backup. Hence its cost effective compared to differential backup.

Disadvantages of Incremental Backup:
a. You need more number of tapes (from sunday-full to last night-incre) to restore the entire file system.

Scenario 2 - Full and Differential Backup :


If you want to have full backup of /home on sunday night and differential backup on other nights, then follow the below procedure.

Sunday Night - Full Backup :
# backup -0 -uf /dev/rmt0 /home

Monday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Tuesday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Wednesday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Thursday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Friday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Saturday Night - Differential Backup :
# backup -1 -uf /dev/rmt0 /home

Advantages of Differential Backup:
a. It takes less tapes (from sunday-full and last night-incre) to restore the entire file system.Hence it is easy for the backup operator to restore the data.

Disadvantages of Differential Backup:
a. It consumes more tapes for backup. (since we are going to backup the same old files again and again for the whole week).Hence cost is more in this type of backup.

To list the contents of backup on the tape :
# restore -Tvf /dev/rmt0

To restore individual files from backup created by 'backup -i' command :
# restore -xvf /dev/rmt0 /home/user1/file1

To restore the entire file system :
# restore -rvf /dev/rmt0

Other Unix Backup Commands:

TAR:
tar is the only command (i think so) in UNIX which doesnot require a dash(-) infront of a flag.

To create a tar image in /tmp for a directory :
# tar cvf /tmp/oradata.tar /opt/oradata

To view the contents of a tar image :
# tar tvf /tmp/oradata.tar

To restore the tar image :
# tar xvf /tmp/oradata.tar

CPIO :
cpio reads and writes from stdin and stdout.

To backup the current directory to a /tmp/file.cpio file :
# find . -print cpio -ov > /tmp/file.cpio
To view the table of contents of the cpio archived tape :
# cpio -itvcC1 < /dev/rmt0


To restore data from the cpio archive file :
# cpio -idv < /tmp/file.cpio

To restore a selective file from cpio archived tape :
# cpio -imv /home/roger/.profile < /dev/rmt0

To restore selectively only the *.c and *.cpp file :
# cpio -i "*.c" "*.cpp" < /dev/rmt0


DD Command :
'dd' command copies (also converts) from an input device to an output device. This command will not span multiple tapes.
To copy a file and converting all the chars to upper case :
# dd if=/tmp/unixfile.txt of=/tmp/dosfile.txt conv=ucase

Tcopy Command :
Copies from one tape device to another.
To list the contents of a tape media :
# tcopy /dev/rmt0
To copy all the data from one tape to another tape device :
# tcopy /dev/rmt0 /dev/rmt1

tctl Command :
tctl has been widely used to control tape drives.
To rewind a tape device :
# tctl -f /dev/rm0 rewind
To fast forward to the beginning of 2nd tape mark :
# tctl -f /dev/rmt0.1 fsf
To do retension :
# tctl -f /dev/rmt0 retension
Retension is nothing but moving the tape to beginning, end and again to the beginning. You have to do this, if you encounter multiple read errors during the restoration operation.
To display the status of atape device :
# tctl -f /dev/rmt0 status
To eject a tape device :
# tctl -f /dev/rmt0 offline
TSM Client :

Few Points:
a. It requires a connection to TSM server and also a registeration in the TSM server.
b. You can take the 'backup' and 'archive' based on the TSM server configuration.
c. Archive can be taken for 90 days, 180 days, ... based on the management class.
d. Backup can have different versions. Last backup is the new and current version and oldest backup is the old version for every file that is backed up.
e. Most of the small sized companies keep 3 versions of backup, that means can have 3 backup version for each file.

To Backup a file :
# dsm backup /tmp/file1

To archive a file :
# dsm archive /tmp/file1

To list all the backed up filesystems :
# dsm query filespace

To verify the backup of a file :
# dsmc query backup /tmp/file1

To verify the inactive version of a backup of a file :
# dsmc query backup -inactive /tmp/file1

To verify the archive of a file :
# dsmc query archive /tmp/file1


To backup VIO Server :

To take the OS backup in a CD ROM :
# backupios –cd /dev/cd1 -cdformat

To take the OS backup in a DVD-RAM :
# backupios –cd /dev/cd1 -udf

To take the OS backup in a tape drive :
# backupios –tape /dev/rmt0

To verify the backup available in a tape :
# backupios –tape /dev/rmt0 -verify

To generate vio backup (tar file) in a file :
# backupios –file /opt/file1

To generate vio backup (mksysb image) in a file :
# backupios –file /opt/file1 -mksysb

Note: To restore a backup image on vio server, you have to use "installios" command in HMC. installios is a menu driven command (tool) which will ask for machine name, vio server(lpar) name, profile name for restoring the mksysb image.

Please let me know for any comments or corrections.

HMC Tips



The Hardware Management Console (HMC) runs a modified Linux operating system and system management software. Technical support for the HMC is provided by IBM's pSeries support center. The HMC is a closed system. Only IBM-approved software is allowed to run on the HMC. Normal Linux errata (including security APAR's) should not be installed on the HMC. Custom configurations and Linux system settings cannot be altered. Therefore, it is not possible to meet the IBM Security requirements that are documented in the technical specification for Linux. To ensure warranty and contract adherence, do not install any non-IBM-approved software or make any configuration changes that are not documented in the HMC users guide.
                Version 3 is specific to Power 4+ pseries frames, p690, p670, p650, etc
                Version 4 is specific to Power 5 pseries frames all p5##.


Security

While the HMC is considered to be somewhat of a hardware appliance by IBM, the following security controls have been put into place by the UNIX support team to ensure the basic security controls as prescribed by ITCS104 are covered.

HMC Registration and system activation:  As the HMC requires a network connection in most cases for the purpose of remote pSeries support and hardware management, the HMC should always be connected to the IBM Blue Zone Intranet. HMC systems should not be connected to any customer, private, DMZ, or Internet facing network. The HMC should be registered in the MaD database and scanned periodically to ensure that network security vulnerabilities are made known.

HMC Security Fixes: The IBM pSeries support center releases corrective service and security advisories periodically. System administrators and HMC users can subscribe to the IBM Fix Central security advisory center via the HMC website listed above. The Security Administrator within the department as long as the HMC expert subscribe to the Advisory mailing list. Corrective servive and security patches are installed on the HMC's systems supported by the department as needed. Changes to the HMC's are tracked using the IBM America's change and problem management process just like other systems supported by the department. The CIRATS database is used to keep track of resolvable security noncompliance issues for the HMC systems.

HMC root and hscroot userid passwords: Are managed via the same process for managing the root password for other systems supported by the department.

HMC through firewalls (via WebSM) uses a number of ports
port 22 for ssh
port 80
port 9090 for initial connection
from 1 to 3 ephemeral ports in the range 1024-65535 for ongoing communication
Note: In the 520 release, we added the capability to change both the initial connect port and the secondary port.  If you are using WebSM behind a firewall, you will most likely need to change the secondary port range to be a fixed range.
To set the range for the secondary port, you need to run the comand:
 /usr/websm/bin/wsmserver -enable -portstart port1 -portend port2
Where port1 and port2 specify the range of ports to use.  For example, if you only wanted to use the ports 20000 through 20010, you would run:
/usr/websm/bin/wsmserver -enable -portstart 20000 -portend 20010
This would make the secondary communication port come from the inclusive range 20000-20010 instead of being a random port.
Changing the secondary port does not affect the initial connection port of 9090.  To change the initial connection port, you would have to use the command:
 /usr/websm/bin/wsmserver -enable -listenport connectport
Where connectport is the port for the initial connection.  For example, to change the initial connection port to be 10000 instead of 9090, run
the command:
/usr/websm/bin/wsmserver -enable -listenport 10000
If you want to change both the initial connection port and the secondary connection ports, you have to set both with the same wsmserver command. For example:
/usr/websm/wsmserver -enable -listenport 10000 -portstart 20000 -portend 20010
One important thing to remember is that if you change the initial connection port to be something other than 9090, you need to change the
way you specify hosts in the WebSM console.  When the initial connection port is different, you must specify the hostname as hostname:port.  For example:
mysystem:10000
If you just specify the host as 'mysystem', the WebSM client will attempt to connect to port 9090.  So it is best to not change the
initial connection port if you don't have to.  Just open port 9090 in the firewall so you don't have to give the port number with the host.
So the best thing to do if you are running WebSM behind a firewall is to just set the port range with -portstart and -portend and open that port
range in the firewall along with 9090.
For HMC, since the WebSM server is a service started under xinetd, the /etc/xinetd.d/websm file will need to modified to apply the port
configuration settings.



Remote Access to the HMC via WebSM and SSH is not enabled by default at the time of Install.
            At the HMC console login with hscroot and enable both WebSM and SSH by selecting;
            HMC Management
            HMC Configuration
            Customize Network Settings
                LAN Adapters tab, select the adapter configured for the Blue Zone / 9. net, for version 4 HMCs this will be eth1 and select Details
                Firewall tab select WebSM, Secure Shell and the Allow Incoming button.

Install WebSM on your Windows or UNIX  workstation.
                Using your web browser of choice (Internet Explorer or Netscape)
                Access a HMC using the address format:             http://hmchostname/remote_client.html
                                Replace the above 'hmchostname' with the actual HMC hostname or IP address.
                                An example is:   http://test.test.com/remote_client.html
                                Login with your userid and password    
                Select WebSM installation of your choice and follow the instructions.

Remote Access via WebSM
                Launch the WebSM application.
                Enter the FQDN of the HMC followed by the tab key on the Log On Panel.
                                Allow the handshake to complete before continuing.
                Enter your userid userid and password.
                                The password for the userid 'hscroot' should be the same as our root user standard.

Remote Access via SSH
                # ssh -l your_userid@hmchostname/ip/dns entry.
                                             

Notes:                 hscroot password MUST be changed in the gui, command line change does not update the object database.
                                In our database under the Server By Account view, HMCs are listed with the OS type as Linux and the version as RedHat HMC
                                All of the typical frame management functions are available through the single HMC desktop or WebSM.





Cross-certify ssh from root@codeman to hscroot@HMC
For automation, we cross-certify ssh from root@codeman to hscroot on each HMC:
On codeman:
mykey=`cat $HOME/.ssh/codeman.pub`
ssh hscroot@YOURHMC mkauthkeys -a \"$mykey\"
respond to the hscroot password prompt
Now ssh from root to hscroot@YOURHMC and it should not prompt you for a password


Set up time sync
chhmc -c xntp -s add -a <time server>
hhmc -c xntp -s enable



            Web SM / GUI
                Login to the HMC at console or with WebSM.
            Drill into and right click on  the specific Partition and select Open Terminal Window - be patient.
                Note:    If the terminal window opens but is not displaying anything like the usual SMS screens or a login prompt then AIX has locked up like it would when running out of paging space.
                                The terminal window will identify which partition it is for in the top bar of the window.
                                The State and Operator Panel Value (LCD) do indicate the state of the partition on the Server Management screen
                                Right click the partition, select Operating System / Reset. Be sure you right click the correct partition.
crtl-Ins # cuts in vterm
shft-Ins # pastes in vterm

            HMC / SSH
            SSH into the HMC using the hscroot userid
                        # ssh hscroot@hmchostname     or ip address
                                $ /opt/hsc/bin/vtmenu
                The tool will retrieve and display a list of the LPARS.
                Select the # of the one you need and you will be presented with a console login prompt.

                After you exit the LPAR;
                                ~.            to close vtmenu, (ends your ssh session into the HMC also)
                                    vtmenu # lists all the lpars select # of the console you want ~. to exit
                                    ~. closes Secure IT
                                    ~~. closes the conection to the HMC
                                    ~~~. closes the terminal to the lpar / returns you to vtmenu




                Note:    The below is as provided by support but has not been confirmed.
                                                ~. above should only kill the vtmenu session
                                                mkvterm -m <mged_system> -p <partition>                                                             might fix it.
                                                /opt/hsc/bin/query_cecs                                                                                                will return the managed systems
                                                /opt/hsc/bin/query_partition_names          -m <managed systems>                will return partition names.

                     




                In order for dynamic allocation to work you must have network connectivity between the HMC and the LPAR.  If the HMC and the LPAR are separated by a firewall, you must have port 657 open bi-directionally from any effemeral port on either the HMC or the LPAR. You must also be at AIX level 5.2 or greater.

Dynamically Allocate Resources
                Log into the HMC at the console or via WebSM
                Select Server and Partition - Server Management and select the desired "Running" partition.
                Select "Selected" on the tool bar.
                                If Dynamic Logical Partitioning is grayed out the daemons are not running on the selected LPAR.
                Or right mouse button click on the partition name.
                                If Dynamic Logical Partitioning is not present the daemons are not running on the selected LPAR.
                Select Adapters, Processors or Memory
                                Adjust as needed and select OK.
                                                The Working window should appear and indicate Success when complete in less than a couple of minutes.
                If this fails you may need to rmdev the parent and child devices, error text from the above will tell you which parent to rmdev.
                You may need to run cfgmgr on the LPAR.

Check the DLPAR Daemons
                On the LPAR, start as needed.
                #  lssrc -a |grep rsct              should list
                                ctrmc                                     rsct                         53618    active
                                IBM.ERRM                          rsct_rm                  97566    active
                                IBM.ServiceRM                 rsct_rm                  105374  active
                                IBM.CSMAgentRM           rsct_rm                  102772  active
                                IBM.AuditRM                      rsct_rm                  35260    active
                                IBM.HostRM                       rsct_rm                  58914    active
                                IBM.DRM                             rsct_rm                  77616    active
                                ctcas                                     rsct                         31122    active



                     
                        This requires a recovery CD to boot from of the intended version.  Current versions must be requested on CD, see the below section Obtain HMC Recovery CDs
                        You will need to reboot the HMC and have the cd in the HMC so all these steps are at the console.

                        Login with hscroot at the HMC console and select Licensed Internal Code Maintenance, HMC Code Update, Save Upgrade Data, Hard drive. Allow this to complete.

                  Place HMC Recovery CD #1 , Exit and select Reboot.

                        The upgrade panel will come up and ask about a new install or upgrade, F1 - upgrade, F1 a second time.

                        The upgrade will continue and take several minutes, DVD drive will open and it will reboot when complete.
                        and there are some more prompts to answer...I'll get them on the next upgrade.

Note:            If the HMC comes up and does not know itself, (hscroot password at the default abc123, no network, no profiles) and you are sure you did the "Save Upgrade Data, Hard drive" above then your upgrade suffered a known problem.  You will have to call support to get a temporary password and tell them the correct / system reported serial number from the given HMC.  On a command line do # lshmc -v and see the SE# line.  Support will have you do something like this;
                                        Login as hscroot
                                        Create a hscpe userid and set it's password,  same as our root standard works here.
                                        Logout and back in as hscpe
                                        Right the desktop, select Termial, rshterm
                                        # pesh <serial number of the hmc as provided to support and returned from the lshmc -v>
                                        # su -    (su - root with root's pw)
                                        # mount /mnt/upgrade               (look for a doRestore file zero bytes, likely isn't there)
                                        # touch /mnt/upgrade/doRestore      (might pay to look for this file before touching.
                                        # shutdown -r now        (make sure there is nothing in the DVD drive)
                        There will prompts to answer about keeping the NIC config for eth0 and others if present, be sure to answer these prompts correctly.



             
This is Corrective Service Installation only if you are upgrading you will need to do the Software Upgrade first
Download the current update file from ;
http://www14.software.ibm.com/webapp/set2/sas/f/hmc/home.html
                             
Log into the HMC either at the console or via WebSM and select
                v3 Software Maintenance, HMC (note the current version)
            v4 Licensed Internal Code Maintenance, HMC Code Update (note the current version), Install Corrective Service

With a writeable DVD in the the HMC's DVD drive select
                v3/4 Backup Critical Console Data.  This will take a while, just let it complete.

On the same menu, select
                v3/4 Save Upgrade Data, and follow prompts to save the data to the hard drive.
                Failure to do this step could cause the loss of your Network, Async and Service Agent configuration. This data will be retrieved and reapplied after the upgrade completes.

On the same menu, select
                                v3/4 Install Corrective Service

Select the radio button    Download the corrective service file from a remote system, and then apply the downloaded   service file.
                                Remote site    resposity_server
                                Patch file           /inst.images/HMC/v#/maintfile..zip
                                User ID           userid                    must have ftp read access to the /inst.images/HMC suddirs and files.
                                Password         password            must be valid for the given user.
Note:    The above is FTP based and you will not be given any chance to drill into the correct directory or file, so be accurate.
                If you choose the cdrom option you will need to burn the contents of the .zip file onto a CDRW, do not put the contents of the .zip in a subdirectory on the CD, you will not be given the option to drill into the cd.

Select OK.
                A working window will appear and you can watch the progress.  Successful completion and the need for a reboot should appear.
STOP/READ  Version 4.4.2 has 2 update zip files, it is bad mojo to boot between them go back now and do the 0_2 file.
                                v4 has a update completion panel that allows for a automatic reboot, select the option and OK

To reboot the HMC;
                At the HMC console as you exit, the last panel you are presented with by default references Logout, change this to reboot and select ok.
                If you are remote, WebSM does not offer any option to reboot, on exit or anywhere in the tool.  With SSH enabled you can SSH into the HMC and reboot it.
                # ssh -l hscroot@hmchostname
                $ hmcshutdown -r -t 1                                shutdown with restart in 1 minute, you will get the command line back and have the option to exit, the -t option is not required.
                $ hmcshutdown -t now -r                          Shutdown and reboot immediately.
                $ exit








Frequent Question:

How can I turn off the amber Attention Light in the
operator panel?  (I am assuming that you've already
verified that there are no actionable and outstanding
service events.)

Using the HMC:  (Recommended)

   > Service Applications
     > Service Focal Point
       > Service Utilities
         > Highlight the Managed System name

           <Left Click>  Selected
           <Left Click>  System Attention LED
           <Left Click>  Action

Or; if HMC-less, from the command-line of the LPAR
    w/Service Authority

     # /usr/lpp/diagnostics/bin/usysfault -s normal

Or; if HMC-less, from the command-line of the LPAR
    w/Service Authority

     # diag
       > Task Selection
         > Log Repair Action
           > Select sysplanar0

Or; if HMC-less, from the command-line of the LPAR
    w/Service Authority

     # diag
       > Task Selection
         > Identify and Attention Indicators
           > Set System Attention Indicator to NORMAL



Hardware Configuration
                You may want to create a account specific document to keep track of the CPU, Memory and Adapter allocation. The WebSM does not provide a single view of all the hardware. Use this template as a starting point. (1)


Dealing with the GUI
                1. To change from GUI login to command line login on the HMC press control alt F1.

                2. To get back to the GUI from a command line login type control alt F2.

                3. To reboot the HMC from a command line, su to root and type /sbin/reboot.

Collecting LPAR info from the HMC
                Typically; access the HMC via a putty session,
turn-on logging of the session to a file and
then copy/paste the code:


for MANAGEDSYS in `lssyscfg -r sys -F type_model*serial_num`
do
echo "============MANAGED SYSTEM --> ${MANAGEDSYS}"
for LPAR in `lssyscfg -r lpar -m ${MANAGEDSYS} -F name`
do
echo "            ============LPAR --> ${LPAR} --> CPU resources"
lshwres -r proc -m ${MANAGEDSYS} --level lpar --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> Memory resources"
lshwres -r mem -m ${MANAGEDSYS} --level lpar --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> Physical adapters"
lshwres -r io --rsubtype slot -m ${MANAGEDSYS} --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> Virtual Ethernet config"
lshwres -r virtualio --rsubtype eth --level lpar -m ${MANAGEDSYS} --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> Virtual SCSI config"
lshwres -r virtualio --rsubtype scsi --level lpar -m ${MANAGEDSYS} --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> LPAR config"
lssyscfg -r lpar -m ${MANAGEDSYS} --filter lpar_names=${LPAR}
echo "            ============LPAR --> ${LPAR} --> LPAR profiles"
lssyscfg -r prof -m ${MANAGEDSYS} --filter lpar_names=${LPAR}
done
done


                     
HMC Communication ports
HMC Open Port Number/Protocol Application
22/TCP                                                                  Secure Shell
80/TCP                                                                  Web Server
9090/TCP                                                              WebSM initial connection
300000-300009/TCP                                          WebSM Communication
657/TCP                                                                Resource Monitoring and Control
657/UDP                                                               Resource Monitoring and Control


HMC Commands
lshmc –n (lists dynamic IP addresses served by HMC)
lssyscfg –r sys –F name,ipaddr (lists managed system attributes)
lssysconn –r sys (lists attributes of managed systems)
lssysconn –r all (lists all known managed systems with attributes)
rmsysconn –o remove –ip <ipaddr from lssysconn list> (removes a managed system from the HMC)
mkvterm –m {msys} –p {lpar} (opens a command line vterm from an ssh session)
rmvterm –m {msys} –p {lpar} (closes an open vterm for a partition)
Activate a partition
chsysstate –m managedsysname –r lpar –o on –n partitionname –f profilename –b normal
chsysstate –m managedsysname –r lpar –o on –n partitionname –f profilename –b sms
Shutdown a partition
chsysstate –m managedsysname –r lpar –o {shutdown/ossshutdown} –n partitionname [-immed][-restart]

Example 1: To retrieve the HMC Code Level, run the following command:
lshmc -V

Example 2: To retrieve the Managed Systems names, run the following command:
lssyscfg -r sys -F name

Example 3: To retrieve the HMC user profiles available, run the following command:
lshmcusr

Example 4: To retrieve the command usage/help for the lshwinfo HMC command, run the following command:
man lshwinfo

Example 5: To retrieve the current LIC levels for a given Managed System, run the following command:
Note: tttt is the machine type, mmm is the model, and sssssss is the serial number of the managed system. The tttt-mmm*sssssss form must be used if there are multiple managed systems with the same user-defined name.
lslic -t sys -m tttt-mmm*sssssss -F + lic_type-ecnumber-activated_level-installed_level-accepted_level

Example 6: To immediately shut down the HMC console and then restart it, run the following command:
hmcshutdown -t now -r

Port 9090 not listening - can't WebSM into HMC.

cat /opt/ccfw/data/FirewallSettings.ethx-NETAPP-INPUT

Web.name|0.0.0.0|0.0..0.0
SecureWeb.name|0.0.0.0|0.0.0.0
ASM.name|0.0.0.0|0.0.0.0
pegasus.name|0.0.0.0|0.0.0.0
RMC.name|0.0.0.0|0.0.0.0
FCS.name|0.0.0.0|0.0.0.0
Bobcat.name|0.0.0.0|0.0.0.0
Eclipse.name|0.0.0.0|0.0.0.0
vtty.name|0.0.0.0|0.0.0.0
vtty_proxy.name|0.0.0.0|0.0.0.0
i5250.name|0.0.0.0|0.0.0.0
ping.name|0.0.0.0|0.0.0.0
cim.name|0.0.0.0|0.0.0.0
l2tp.name|0.0.0.0|0.0.0.0
SLP.name|0.0.0.0|0.0.0.0
RPD.name|0.0.0.0|0.0.0.0
hwserver.name|0.0.0.0|0.0.0.0
ssh.name|0.0.0.0|0.0.0.0
ntp.name|0.0.0.0|0.0.0.0

Websm is not in the above file.  We peshed in and became root

Added the following entry to the file

WebSM.name|0.0.0.0|0.0.0.0

Rebooted
# hmcshutdown -r -t now


HMC 4 - alpha list of commands
The following HMC commands are available in the restricted shell for HMC Version 4.
HMC CLI commands        Command     Description
bkconsdata              Backs up critical console data
bkprofdata              Backs up profile data configuration
chaccfg                 Changes access control configuration
chcod                   Performs Capacity on Demand operation
chhmc                   Changes HMC's configuration
chhmcusr                Changes HMC user attribute
chhwres                 Changes hardware resource configuration (DLPAR)
chled                   Changes the state of an LED
chsacfg                 Changes Service Agent configuration
chsyspwd                Changes password for a managed system
chsysstate              Changes the state of a partition or managed system
chvet                   Activates the on-demand functions of Virtualization Engine technologies
chdump                  Copies managed system dumps from the HMC to DVD or a remote FTP site
getdump                 Offloads a dump from a managed system to the HMC
hmcshutdown             Shuts down the HMC
lsaccfg                 Displays access control configuration information
lscod                   Displays Capacity on Demand information
lsdump                  Displays available managed system dumps
lshmc                   Displays information about the HMC, such as network configuration
lshmcusr                Displays users on the HMC
lshwres                 Displays hardware resource information
lsled                   Displays LED information
lslic                   Displays Licensed Internal Code levels
lsrefcode               Displays reference codes
lssacfg                 Displays Service Agent configuration information
lssvcevents             Displays console or serviceable events
lssyscfg                Displays system resource configuration
lsvet                   Displays Virtualization Engine technologies information
mkaccfg                 Creates access control object
mkauthkeys              Adds or removes ssh keys on the HMC
mkhmcusr                Creates a user on the HMC
mksyscfg                Creates a system resource configuration such as a partition
mksysconn               Adds a managed system to the HMC
mkvterm                 Opens a Virtual Terminal session
pedbg                   Provides debug tools for Product Engineering
pesh                    Provides full shell access to Product Engineering
rmaccfg                 Removes access control object
rmhmcusr                Removes a user on the HMC
rmsyscfg                Removes a system resource configuration such as a partition
rmsysconn               Removes or resets a connection with a managed system
rmvterm                 Closes a virtual terminal session
rsthwres                Restores hardware resource configuration
rstprofdata             Restores profile data
startdump               Starts a managed system dump
updhmc                  Updates code on the HMC
updlic                  Updates Licensed Internal Code on a managed system
viosvrcmd               Issues a command to a virtual I/O server partition
Linux commands for the restricted shell
The following UNIX (Linux) commands are also available in the restricted shell for HMC Version 4
Linux CLI commands Command name     Command name               Command name
basename    cat         clear
cp          cut         date
diff        du          echo
egrep       expr        fgrep
getopt      grep        head
host        less        ls
man         more        mount
netstat     ping        scp
sed         sleep       sort
ssh         sum         tail
umount      uname       who
whoami


Using the HMC to create a detailed "SystemPlan"
A SystemPlan gives details of resources allocated to all LPARs (CPUs,
memory, physical I/O adapters and Virtual I/O adapters) on a System p
server. A SystemPlan can be created on HMC using 'mksysplan ' command
and view it using a browser on Windows workstation. This will be a
useful reference document for System Administrators and as well Server
Architects.

A SystemPlan can also be deployed from another server to duplicate
the environment. This option is available in the HMC GUI screen for
SystemPlans.



Your HMC must (already) be configured for remote access.

Steps to generate and view a systemplan  below.

1. Login to HMC using ssh command line.

2. Run the command:  mksysplan -f <filename.sysplan> -m <Managed Server>

3. On a  Windows workstation, launch WebSM, connect to HMC and login.

4.  Click on System Plans/Manage System plans.

5. The pop-up window shows the systemplan you created.

6. Click on the systemplan and then click on View.

7. If Step #6 launches a browser window that fails with an error message,
   change the URL as follows:

   - Change http to https

   - Change port 4411 to 9443.

   - Leave the rest of the info. as-is.  Move the cursor to the end and press
     <Return>. You will see the Systemplan.

   - The defect for port 4411 in HMC 5.2 is fixed in 5.2.1 or 6.x code
Fuente:  sriniv

martes, 7 de agosto de 2012

Preguntas y Respuestas sobre HMC


1. What is the maximum number of servers managed by HMC ?

> Maximum of 48 non-590-595 servers
> Maximum of 32 590/595 servers

2. What is the maximum number of LPARs supported by a HMC ?

> Maximum of 254 LPARs

3. How many HMCs can manage a server at one time ?

> You can have a maximum of 2 HMCs manage a server at one time

4. What are the different types of dynamic operations you can do with CPU, Memory and I/O Adapter on a LPAR ?

> Add
> Remove
> Move

5. How do we connect the HMC to power machines ?

For Power-4 machines, we connect the hmc using serial cables.

But for Power-5 machines, HMC connects to service processors via SSL-encrypted Ethernet, replacing the serial cables.

6. Do we have firewall configured in HMC ?

Yes. Each network card has an integrated firewall.

7. Do we need to configure DHCP in HMC ?

HMC may be a DHCP server for entry and mid-range servers.

But for high-end servers like P595, HMC must be a DHCP server

8. can we have the same HMC to manage P4 and P5 machines ?

POWER5 HMCs cannot manage POWER4 servers, and vice versa.

9. Can we have the existing P4 HMCs upgraded to support P5 machines ?

Yes. We can. This involves a complete overwirte of teh disk and the loss of all previous configuration including user profiles.

10. What to do incase of disk failure in HMC ?

We can restore the HMC using recovery CD.
Then restore the latest Critical consule data backup which will restore the profiles, user ids, passwords, etc..

11. What is the default user id and password for the HMC ?

When the HMC is powered on the first time, login as hscroot and password as 'abc123'.

12. Can we manage a power machine without a HMC ?

Yes. We can run a server in manufacturing default mode, will all resources but no logical partitionings, CoD or Service Focal point,etc..
For entry level server, we can use the Integrated Virtualization Manager.

13. What is the network critetia for dual HMC connection ?

Dual HMCs require two different private networks.

14. What is the default service processor IP address in Power-5 Machines ?

Eth0 - HMC1 - 192.168.2.147 / 255.255.255.0
Eth1 - HMC2 - 192.168.3.147 / 255.255.255.0

15. What is the default user id and password for accessing service processor ?

User id - admin
Password - admin

16. Do we need a HMC for p5 model servers ?

One HMC is mandatory for 590, 595 or 575.
Dual HMC are recommended.

17. Do we need private network for HMc connectivity for p5-595 ?

One private network is mandatory for p5 590,595 or 575.

18. Can we have IVM support multiple servers ?

One IVM allowed per server and it only manages partitions on one server.

19. What does FSP (Flexible Service Processor) has ?

FSP has
a. Operating System
b. UserIds / Passwords
c. Filesystem
d. Networking
e. Firewall
f. Webserver
g. ASMI
h. Firmware

20. What to do if you forgot the admin password for FSP ?

If you do not know the admin password, place a hardware call to get 'celogin'

21. What to do if you forgot the HMC hostname/ipaddress for a long running LPAR ?

You can always get the HMC IPaddress from a LPAR if we have performed "handshake" with the HMC.

Issue the below command to get the HMC IPAddress

# lsrsrc IBM.ManagementServer
Resource Persistent Attributes for IBM.ManagementServer
resource 1:
Name = "169.121.54.48"
Hostname = "169.121.54.48"
ManagerType = "HMC"
LocalHostname = "169.121.54.59"
ClusterTM = "9078-160"
ClusterSNum = ""
ActivePeerDomain = ""
NodeNameList = {"SAP-PRodServer"}

22. One HMC should be within 8metres of Managed Server

23. Each FSP Ethernet port should be connected to only one HMC
Twitter Bird Gadget