= AIX 6.1 =
**Summary**: ALthough AIX is by now on version 7.3 I find these old pages so fascinating I decided to keep them. On this page I'll install a standard AIX 6.1, which was probably done on a blade power system. \\
**Date**: Between 2010-2013 \\
**Refactor**: 21 December 2024: Checked formatting. \\
{{tag>aix}}
== Introduction ==
The purpose is to create a Standard Operating Environment which can be installed through NIM, and offers all functionality as configured on 5.3:
* All default configuration and setup
* For example DNS, NTP, filesystems, additional software, etc.
* Tuning
* For example limitations, unnecessary software and services, etc.
* User Environment
* Profile and homedir configuration
* Security
* AIX security
* LDAP authentication on eDirectory
* Sudo
* Syslog
Although the paragraphs will refer to more necessary when necessary the overall document on which this article is based is [[aixpostinstall]]. That document was created on AIX 5.3 and gives a lot of background information. This document adds specific information for AIX 6.1, but does not copy the background information which is also valid for AIX 5.3. So, in conclusion, if you need more information the [[aixpostinstall]] is your best place to start.
= Installation =
The installation is performed through NIM and the version installed is:
6100-04-03-1009
which was released in February 2010. During the install I accepted all default settings.
[[aixnimclientadd#aix_nim_client_add|How to add a client in NIM]] \\
[[aixniminstall|How to install a NIM client]]
= Default Configuration
== Change Root
* Change root's password by issuing the command 'passwd' on the commandline after login.
* Change root's account through smitty by issuing the command 'smitty users' on the commandline:
* Change / Show Characteristics of a User
* Select the root user
* Set root's home directory to /home/root
Note:
* You'll have to create the /home/root directory and set permissions.
* Because Root's home is initially set to / you might want to copy root's files to it's new home directory.
== DNS
Setup DNS by editing the 'resolv.conf' configuration file:
# vi /etc/resolv.conf
nameserver 10.10.10.100
nameserver 10.10.10.101
search intranet.company.nl company.local
Note:
* The search entry can have up to a maximum of 1024 characater strings for the DomainName variable.
* The first DomainName variable is interpreted as the default domain name.
* The DomainName variable is the name of a domain that should be included in the search list.
* The domain entry and search entry are mutually exclusive. If both entries are used, the one that appears last will override the other.
== NTP
==== Timezone
Setup the timezone through 'smitty':
* System Environments
* Change / Show Date, Time, and Time Zone
* Change Time Zone Using System Defined Values
* Select your country (NL - Netherlands)
* Select your time zone name (Europe/Amsterdam - (GMT+01:00/GMT+02:00) Central Europe)
* Confirm
==== NTP Config
Setup NTP by editing the 'ntp.conf' configuration file:
# vi /etc/ntp.conf
#broadcastclient
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
server ntp.company.nl
==== Set the Time
# ntpdate ntp.company.nl
3 Mar 10:02:29 ntpdate[250036]: step time server 10.10.10.100 offset 0.975368 sec
# ntpdate ntp.company.nl
3 Mar 10:02:39 ntpdate[250040]: adjust time server 10.10.10.100 offset 0.000045 sec
==== NTP Service
Configure the NTP service to start automatically through 'smitty xntpd':
* Start Using the xntpd Subsystem
* BOTH
==== Reboot
To completely setup time and related services correctly reboot since the timezone change requires one.
== NFS
Add the company NFS share through 'smitty manfs'
* Network File System (NFS)
* Network File System (NFS)
* Add a File System for Mounting
* Pathname of mount point [/exports/install]
* Pathname of remote directory [/exports/install]
* Host where remote directory resides [fileserver.company.nl]
* Mount now, add entry to /etc/filesystems or both? [both]
* /etc/filesystems entry will mount the directory on system restart. [yes]
* Mode for this NFS file system [read-only]
* Transport protocol to use [udp]
* Allow execution of setuid and setgid programs in this file system? [no]
* Allow device access via this mount? [no]
==== Check
There is a new filesystem defined in /etc/filesystems:
/exports/install:
dev = "/exports/install"
vfs = nfs
nodename = fileserver.company.nl
mount = true
options = ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
account = false
This filesystem is already mounted:
# mount
node mounted mounted over vfs date options
-------- --------------- --------------- ------ ------------ ---------------
/dev/hd4 / jfs2 Mar 03 10:13 rw,log=/dev/hd8
/dev/hd2 /usr jfs2 Mar 03 10:13 rw,log=/dev/hd8
/dev/hd9var /var jfs2 Mar 03 10:13 rw,log=/dev/hd8
/dev/hd3 /tmp jfs2 Mar 03 10:13 rw,log=/dev/hd8
/dev/hd1 /home jfs2 Mar 03 10:14 rw,log=/dev/hd8
/dev/hd11admin /admin jfs2 Mar 03 10:14 rw,log=/dev/hd8
/proc /proc procfs Mar 03 10:14 rw
/dev/hd10opt /opt jfs2 Mar 03 10:14 rw,log=/dev/hd8
/dev/livedump /var/adm/ras/livedump jfs2 Mar 03 10:14 rw,log=/dev/hd8
fileserver.company.nl /exports/install /exports/install nfs3 Mar 03 10:32 ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
== Filesystems
When AIX gets installed the filesystem gets a certain amount of space dependent on the size of the disk and what is installed:
# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 320.00 154.38 52% 12990 25% /
/dev/hd2 2144.00 355.22 84% 39261 31% /usr
/dev/hd9var 192.00 17.66 91% 6439 57% /var
/dev/hd3 64.00 61.55 4% 24 1% /tmp
/dev/hd1 32.00 31.62 2% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 96.00 12.57 87% 1886 37% /opt
/dev/livedump 256.00 255.64 1% 4 1% /var/adm/ras/livedump
Change the size of the filesystems using the 'chfs' command:
# chfs -a size=2G /
# chfs -a size=4G /usr
# chfs -a size=1G /var
# chfs -a size=1G /tmp
# chfs -a size=512M /home
# chfs -a size=10G /opt
Result:
# df -m
Filesystem MB blocks Free %Used Iused %Iused Mounted on
/dev/hd4 2048.00 1882.11 9% 12990 3% /
/dev/hd2 4096.00 2306.92 44% 39261 7% /usr
/dev/hd9var 1024.00 849.48 18% 6441 4% /var
/dev/hd3 1024.00 1021.37 1% 24 1% /tmp
/dev/hd1 512.00 511.55 1% 11 1% /home
/dev/hd11admin 128.00 127.63 1% 5 1% /admin
/proc - - - - - /proc
/dev/hd10opt 10240.00 10155.02 1% 1886 1% /opt
/dev/livedump 256.00 255.64 1% 4 1% /var/adm/ras/livedump
== Additional Software
Download the latest rpms:
[[http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/download.html|IBM AIX Toolbox for Linux Applications Information page]] \\
[[ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/|Actual FTP download site]] \\
Get SSH and SSL from the AIX installation and expansion DVDs.
==== Install AIX Software
Install AIX software with 'smitty install_latest':
* enter dir with software
......
Installation Summary
--------------------
Name Level Part Event Result
-------------------------------------------------------------------------------
rpm.rte 3.0.5.51 USR APPLY SUCCESS
rpm.rte 3.0.5.51 ROOT APPLY SUCCESS
openssl.base 0.9.8.1100 USR APPLY SUCCESS
openssl.base 0.9.8.1100 ROOT APPLY SUCCESS
openssh.base.client 5.2.0.5300 USR APPLY SUCCESS
openssh.base.server 5.2.0.5300 USR APPLY SUCCESS
openssh.base.client 5.2.0.5300 ROOT APPLY SUCCESS
openssh.base.server 5.2.0.5300 ROOT APPLY SUCCESS
==== Install RPMS
This is a selection of RPMS I like to install on an AIX system:
# rpm -iv *.rpm
bash-3.2-1
gcc-4.2.0-3
gettext-0.10.40-8
less-382-1
lsof-4.61-3
sudo-1.6.9p15-2noldap
tar-1.14-2
vim-common-6.3-1
vim-enhanced-6.3-1
vim-minimal-6.3-1
which-2.14-1
==== SSH and SSL Config
SSH must be configured so X11 forwarding works as well. In a later configuration stage root will be forbidden to logon remotely, but for now that is still allowed. Configuration includes two files: /etc/ssh/sshd_config and /etc/ssh/ssh_config:
bash-3.2# cat /etc/ssh/sshd_config | grep '^[A-z]'
Protocol 2
PermitRootLogin yes
IgnoreRhosts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
TCPKeepAlive yes
XauthLocation /usr/bin/X11/xauth
Banner /etc/secure_banner
Subsystem sftp /usr/libexec/sftp-server
bash-3.2# cat /etc/ssh/ssh_config | grep '^[A-z]'
ForwardX11 yes
ConnectTimeout 30
Protocol 2
Restart the ssh daemon:
# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start
After restarting your session you can issue 'xclock' to see if it's working.
See [[cygwin]] to see how to setup your local Windows installation for X11 forwarding.
Note: Don't forget to create and place you secure_banner in /etc.
==== Oracle Requirements
Oracle has a few requirements when installed on an AIX box, and one of them is not installed by default: bos.adt.libm. The package can be installed using the NIM server:
bash-3.2# lslpp -l bos.adt.libm
lslpp: Fileset bos.adt.libm not installed.
bash-3.2# nimclient -l -L ms-soe6
......
lpp_6100_04_03 lpp_source
......
bash-3.2# nimclient -o allocate -a lpp_source=lpp_6100_04_03
bash-3.2# nimclient -l -c resources ms-soe6
lpp_6100_04_03 lpp_source
bash-3.2# nimclient -o cust -a lpp_source=lpp_6100_04_03 -a filesets=bos.adt.libm
......
bash-3.2# lslpp -l bos.adt.libm
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.adt.libm 6.1.4.0 APPLIED Base Application Development
Math Library
See [[aixnim#install_additional_software_from_lpp_source|AIX NIM]] for more information on how to install software using a NIM server.
= Tuning
== AIX Limitations
For system stability reasons AIX has a few limitations which interfere (within our company) with production processes.
==== SWAP
By default, the swap space is defined as 512 MB which is a little bit low when oracle, websphere or any other demanding application is running.
Set the paging space to 4 GB for better performance:
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active Auto Type Chksum
hd6 hdisk0 rootvg 512MB 2 yes yes lv 0
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space Physical Volume Volume Group Size %Used Active Auto Type Chksum
hd6 hdisk0 rootvg 4096MB 1 yes yes lv 0
==== Large Files
By default no one on the system is allowed to work with large files to prevent the filesystems from becoming full too fast, but we need root to work with large files. To do so, adjust the /etc/security/limits and these lines in the root section:
root:
fsize = -1
data = -1
stack = -1
== Network
By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this setting issue:
bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file
In [[aixpostinstall]] are extended tests regarding AIX performance and more background information.
== Memory
When running Oracle the memory is better adjusted to meet the demands Oracle can make:
bash-3.2# vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o lru_file_repage=0
Setting minperm% to 5 in nextboot file
Modification to restricted tunable maxperm%, confirmation required yes/no yes
Setting maxperm% to 90 in nextboot file
Modification to restricted tunable maxclient%, confirmation required yes/no yes
Setting maxclient% to 90 in nextboot file
Modification to restricted tunable lru_file_repage, confirmation required yes/no yes
Setting lru_file_repage to 0 in nextboot file
Setting minperm% to 5
Setting maxperm% to 90
Warning: a restricted tunable has been modified
Setting maxclient% to 90
Warning: a restricted tunable has been modified
Setting lru_file_repage to 0
Warning: a restricted tunable has been modified
The default settings are:
vmo -p -o minperm%=20 -o maxperm%=80 -o maxclient%=80 -o lru_file_repage=1
== Unnecessary Software
Software that is unnecessary:
* Alternate Disk Installation:
* bos.alt_disk_install.boot_images
* bos.alt_disk_install.rte
* Cluster Systems Management:
* csm.client
* csm.core
* csm.deploy
* csm.diagnostics
* csm.dsh
* csm.gui.dcem
To remove these packages issue:
installp -u bos.alt_disk_install.boot_images bos.alt_disk_install.rte csm.client csm.core csm.deploy csm.diagnostics csm.dsh csm.gui.dcem
==== According to KPMG security
* AIX Security Hardening:
* bos.aixpert.cmds
* bos.aixpert.websm
* Reliable Scalable Cluster Technology (RSCT)
* rsct.core.gui
* rsct.core.lprm
* rsct.core.sensorrm
installp -u bos.aixpert.cmds bos.aixpert.websm rsct.core.gui rsct.core.lprm rsct.core.sensorrm
== Unnecessary Services
For more information about the services see the [[http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/capp_sys_services.htm|AIX Services Documentation]].
==== Unnecessary Inetd Subservers
Use these commands to turn all subservers off:
chsubserver -d -v ftp -p tcp
chsubserver -d -v telnet -p tcp
chsubserver -d -v shell -p tcp
chsubserver -d -v kshell -p tcp
chsubserver -d -v login -p tcp
chsubserver -d -v klogin -p tcp
chsubserver -d -v exec -p tcp
chsubserver -d -v comsat -p udp
chsubserver -d -v uucp -p tcp
chsubserver -d -v bootps -p udp
chsubserver -d -v finger -p tcp
chsubserver -d -v systat -p tcp
chsubserver -d -v netstat -p tcp
chsubserver -d -v tftp -p udp
chsubserver -d -v talk -p udp
chsubserver -d -v ntalk -p udp
chsubserver -d -v rquotad -p udp
chsubserver -d -v rexd -p tcp
chsubserver -d -v rstatd -p udp
chsubserver -d -v rusersd -p udp
chsubserver -d -v rwalld -p udp
chsubserver -d -v sprayd -p udp
chsubserver -d -v pcnfsd -p udp
chsubserver -d -v echo -p tcp
chsubserver -d -v echo -p udp
chsubserver -d -v discard -p tcp
chsubserver -d -v discard -p udp
chsubserver -d -v chargen -p tcp
chsubserver -d -v chargen -p udp
chsubserver -d -v daytime -p tcp
chsubserver -d -v daytime -p udp
chsubserver -d -v time -p tcp
chsubserver -d -v time -p udp
chsubserver -d -v instsrv -p tcp
chsubserver -d -v xmquery -p udp
chsubserver -d -v imap2 -p tcp
chsubserver -d -v pop3 -p tcp
chsubserver -d -v wsmserver -p tcp
After disabling all subservers don't forget to refresh the inetd daemon:
refresh -s inetd
==== Unnecessary Subsystems
Use these commands to stop and disable subsystems that are automatically started by AIX but are not needed:
chrctcp -S -d inetd
chrctcp -S -d snmpd
chrctcp -S -d hostmibd
chrctcp -S -d snmpmibd
chrctcp -S -d aixmibd
chrctcp -S -d writesrv
chrctcp -S -d qdaemon
* inetd: nternet daemon
* snmpd: simple network management protocol
* snmpmibd: extends snmp possibilities
* hostmibd: extends snmp possibilities
* aixmibd: extends snmp possibilities
* writesrv: enables the ability to receive massages from users from a remote system
* qdaemon: printer queue daemon
==== Remove Services from Inittab
Inittab starts a few more services which can be removed from inittab using these commands:
rmitab piobe
rmitab writesrv
rmitab qdaemon
rmitab naudio
rmitab naudio2
rmitab xmdaily
rmitab pconsole
* piobe: spooler backend
* naudio(2): configures pci audio devices
* xmdaily: collects data regarding performance information
* pconsole: system director console (web administration tool)
==== SLP DA
Since the introduction of AIX 6.1 TL 3 an extra service can be disabled. More information can be found in this [[http://publib.boulder.ibm.com/infocenter/aix/v6r1/topic/com.ibm.aix.ntl/RELNOTES/SC23662905.pdf|pdf (page 16)]].
\\
To disable this Systems Director Common Agent (which is like a SLP DA) follow these steps:
* Comment out these line in /etc/inittab:
#platform_agent:2:once:/usr/bin/startsrc -s platform_agent >/dev/null 2>&1
#cimservices:2:once:/usr/bin/startsrc -s cimsys >/dev/null 2>&1
* Also run these commands:
sudo /opt/ibm/director/agent/runtime/agent/bin/endpoint.sh stop
The LWI Nonstop Profile was not running.
sudo /opt/ibm/director/agent/runtime/nonstop/bin/installnonstop.sh -uninstallservice
= User Environment
== Profile
I used [[aixprofile]] to setup the profile for all users.
== Home Directory
I used [[aixautohomedir]] to setup the automatic creation of home directories for users.
= Security
== AIX Security
==== Intruder Lockout
To prevent brute force account hacking enable intruder lockout. This can be done by editing '/etc/security/login.cfg':
default:
sak_enabled = false
logintimes =
logindisable = 4
logininterval = 60
loginreenable = 30
logindelay = 5
For more information about these settings please check [[aixpostinstall#intruder_lockout_settings|this page]].
==== Valid Shells
Add bash to the list of valid shells, which can be done in the same file, '/etc/security/login.cfg':
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/u
sr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin
/snappd,/bin/bash,/usr/bin/bash
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
==== Default User Settings
Set the default options for new created users to a higher level of security, 'vi /etc/security/user':
default:
admin = false
login = false
su = false
daemon = true
rlogin = true
sugroups =
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 7
account_locked = false
loginretries = 3
histexpire = 26
histsize = 4
minage = 1
maxage = 13
maxexpired = -1
minalpha = 5
minother = 3
minlen = 8
mindiff = 1
maxrepeats = 2
dictionlist =
pwdchecks =
==== Root Login
Set, in the same file, that root is allowed to login, 'vi /etc/security/user':
root
login = true
==== Automatic Timeout
Set an automatic timeout for sessions of one hour, 'vi /etc/profile':
.......
# Automatic logout, include in export line if uncommented
TMOUT=3600
......
export LOGNAME MAIL MAILMSG TERM TMOUT
......
==== Sendmail Privacy
Edit the /etc/sendmail.cf file to minimize the information sendmail shows on connection:
# privacy flags
O PrivacyOptions=goaway
See [[sendmailsecurity]] for more information about sendmail security.
Don't forget to restart sendmail afterwards.
== LDAP
LDAP authentication has been setup as described in [[aixldapedirectory]].
== Sudo
Sudo security has been setup as described in [[sudo]].
== Root
You now have to make the final changes to the root account. Since you now have sudo rights for LDAP users root should no longer be allowed to login, except in emergencies. So, make sure users are allowed to 'su' to root and that root is only allowed a local login. You can change that in 'smitty users':
* Change / Show Characteristics of a User
* Select root
* Another user can SU TO USER?
* Set from "false" to "true".
* User can LOGIN REMOTELY(rsh,tn,rlogin)?
* Set from "true" to "false".
Also, don't forget to change the '/etc/ssh/sshd_config' to make sure root is not allowed to log in over ssh as well:
PermitRootLogin no
== Syslog
Syslog has been setup as described in [[syslog]].