Translate

Monday 31 March 2014

What difference does the $LANG variable make?

Everyone knows that changing the language setting $LANG can change the way in which symbols such as € are displayed, however they may not be aware of how it can subtlety change the way in which items such as the datestamp on files e.g.

With the $LANG set to "C":
crw-rw-rw-    1 root     system        2,  3 Oct 6 2011  /dev/zero

  Snapshots for /test
  Current  Name         Time
!          snapshot1    Tue Aug 14 14:40:52 2012
! *        snapshot2    Tue Aug 14 14:45:09 2012


With the $LANG set to "EN_US":
crw-rw-rw-    1 root     system        2,  3 Oct 06 2011  /dev/zero

   Snapshots for /test
  Current  Name         Time
!          snapshot1    Tue Aug 14 14:40:52 CEST 2012
! *        snapshot2    Tue Aug 14 14:45:09 CEST 2012


Whilst these changes can seem purely cosmetic, and appear to make no difference, if you are running automated tasks such as backup scripts this can make them fail or behave oddly.

Thursday 27 March 2014

Some nice new free resources from IBM



IBM Power Systems Technical Webinars

This series of YouTube videos covers many aspects of building, installing, and maintaining IBM hardware and software:
 

Java Application Performance

This is a free browser-based Java application performance analysis tool. It produces reports when you upload your code to their website, hence no agents are required:

Wednesday 26 March 2014

Problems displaying X-Fonts

If you are having response problems when running X11 apps such as ikeyman e.g.

Cannot load fonts for IMF.
Cannot create fontset.




Try changing your $LANG setting to C and then restart the application:

# export DISPLAY=192.168.1.66:0.0
# export LANG=C
# ikeyman

If the problem persists and you are unable to correctly display your fonts try copying the TTF files to your local Windows font cache and restarting the application e.g.

From: /opt/IBM/ldap/V6.1/java/jre/lib/fonts
To: C:\Program Files (x86)\Xming\fonts\TTF

Note: You may have to create the "fonts\TTF" directories and also require Administrator privileges/

I am also unsure of the legal status of copying the fonts so you may need to check with IBM?

Wednesday 19 March 2014

AIX 7.1 New Features

AIX 6.1 provided a wealth of new features and functionality, and upgrading from previous versions of the OS could prove a massive challenge, and demand that users learn a lot of new commands.

The change between versions 6.1 and 7.1 is far more subtle, and some cases almost imperceptable.
The problem is that this has left many businesses wondering why they should bother whilst AIX 6.1
is still supported.

My personal view is that IBM will start to include more new Power-7 and Power-8 functionality in AIX 7.1, whilst only providing basic compability for version 6.1 users. A good example of this is that the new Active Memory™ Expansion technology is only available on (non Express) Power-7 and Power-7+ systems.

Here is a brief summary of the new functionality currently available:

1. The amepat (Active Memory™ Expansion Planning and Advisory Tool) command (also available in AIX 6.1)  can be used to plan and test the effectiveness of your AME configurations.

2. New switches have been added to the vmstat, lparstat, and svmon commands in order to monitor the effectiveness of AME configurations.

3. AIX 7.1 now supports NTP version 4. You can have both versions installed and flip between them by re-linking the "/usr/sbin/xntpd" executable.

4. New performance tuning options are available in the "/usr/lib/security/methods.cfg" file e.g.

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = kadmind_timeout=300


5. AIX 7.1 can support up to 8192 user groups. Earlier versions only supported 128. This is the default setting and can be checked as follows:

# lsattr -El sys0 -a ngroups_allowed
ngroups_allowed 128 Number of Groups Allowed True

6. The "caseExactAccountName" option can now be added to the “/etc/security/ldap/ldap.cfg” file enabling AIX LDAP to conduct non-case-sensitive searches.

7. AIX 6.1 and 7.1 can now include a pathid in the system boot (bosboot) string (This is also available in later versions of 6.1)

# lspath -t
Enabled hdisk0 scsi1 0
Enabled hdisk1 scsi1 0
Enabled hdisk2 scsi1 0
Enabled hdisk3 scsi1 0

10. NFS-4 now includes the nfs4cl command (This is also available in later versions of 6.1)

# nfs4cl showfs

Server      Remote Path          fsid                 Local Path
--------    ---------------      ---------------      ---------------



Monday 17 March 2014

AIX 7.1 storage compatibilty

IBM has created a new website where you can check which AIX 7.1 features are available for a particular storage device. You can export the search results to CSV format:

http://www-03.ibm.com/systems/support/storage/ssic/interoperability.wss

Wednesday 12 March 2014

IBMs letter from the chairman

I found the text a little contradictory in places, particularly regarding the future direction of AIX, but it makes for an interesting read:

http://www.ibm.com/annualreport/2013/chairmans-letter.html

http://www.ibm.com/annualreport/2013/index.html

Encrypted filesystems

EFS status

EFS was introduced at AIX 6.1. It enables files, directories, and filesystems to be encrypted so that even root cannot access them without having the key/credentials. It also means that if your system is booted in maintenance mode, or a disk misplaced, the data remains safe.

In order to use EFS you first install the CLIC (crypto) libraries:

# lslpp -l 'clic*'
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  clic.rte.kernext           4.7.0.1  COMMITTED  CryptoLite for C Kernel
  clic.rte.lib               4.7.0.1  COMMITTED  CryptoLite for C Library


 Once installed you can run the "efseneable" command. This creates the "/var/efs" directory and adds entries to the ODM, "etc/security/user" and "/etc/security/group" files.

Risks and remediation

EFS is only secure so longer as the keys are not compromised.

WARNING! The default cipher is AES_128_CBC which is considered as breakable. If you are concerned you should use the "-f cipher" argument when running "efsenable". You should also check the "/etc/security/user" and "/etc/security/group" to ensure that the default is set correctly:
 
lssec -f /etc/security/user -s default -a efs_keystore_algo -a efs_file_algo
lssec -f /etc/security/group -s default -a efs_keystore_algo