AIX Post Install

After installing AIX you are presented with a very basic version of AIX in which everything is default. This article shows you what I tend to change on a system after a fresh install.

Change Root

Change root's password:

Issue this command when you're logged in as root:

• passwd

Change root's account

Through smitty:

• Set root's home directory to /home/root
• Set the 'su' group to netwheel

Set the command line as default user interface

Set the command line as the default user interface:

# /usr/dt/bin/dtconfig -d
The Command line is now set as the default user interface.
This interface will appear on login for all users of the system.
To see this change take effect you must shutdown and restart your system.

Set the CDE environment as the default user interface:

# /usr/dt/bin/dtconfig -e
The CDE environment is now set as the default user interface.
This interface will appear on login for all users of the system.
To see this change take effect you must shutdown and restart your system.

Configure the nameserver (DNS)

Smitty:

• Communications Applications and Services
  • TCP/IP
    • Further configuration
      • Name Resolution
        • Domain Nameserver (/etc/resolv.conf)
          • Add a Nameserver
          • Set / Show the Domain

Give the correct DNS server and domain name.

NTP

Through command line:

Edit /etc/ntp.conf :

# broadcastclient
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace
server ntp1.company.local

Check to see if it works and adjust the time if necessary:

bash-3.2# ntpdate ntp1.company.local
19 Jan 15:54:08 ntpdate[213254]: adjust time server 10.10.10.100 offset 0.074101 sec

Through smitty:

• Communications Applications and Services
  • TCP/IP
    • Further Configuration
      • Server Network Services
        • Other Available Services
          • xntpd Subsystem
            • Start Using the xntpd Subsystem
              • BOTH

(smitty fastpath: “smitty xntpd”)

Configure etherchannel and VLAN

Of course, only do this if necessary.
We're going to configure the etherchannel as a failover, with one default adapter and one backup adapter. This will create a new virtual ethernet adapter, on which we're going to configure a VLAN, which will also create a new adapter. This newly created adapter is the one which gets the interface configured.

Note: You might consider to remove all of your adapters before configuring this. If you do, remember that you'll need console access.

Remove network adapters:

rmdev -dl en0
rmdev -dl et0
rmdev -dl ent0

Do this for all network adapters available in the system:

lsdev | grep ^e

Then, rediscover them:

cfgmgr

Configure etherchannel

• Start smitty using the fastpath etherchannel
  • Add An EtherChannel / Link Aggregation

Now it's time to select your primary ethernet adapter. Then you'll get this screen. Leave everything default, and only change the time-out and retry settings:

After you're done you also have to add a backup adapter. To do so choose for the smitty menu “Change / Show Characteristics of an EtherChannel / Link Aggregation” and choose the adapter you've just created. Than add a backup adapter like this:

Now we have a failover etherchannel configured.

Configure vlan

• Start smitty using the fastpath vlan
  • Add a VLAN

Select the just added adapter and fill in the VLAN ID:

When you're done you have a new adapter on which interface you can configure TCP/IP:

As you can see you're working on interface 5, while there are only 4 adapters (eth0 - eth3).

NFS Access

Add a file system through smitty.

Check the filesystem:

• cat /etc/filesystems

/exports/install:
        dev             = "/exports/install"

        vfs             = nfs
        nodename        = fileserver.company.local
        mount           = true
        options         = ro,bg,hard,intr,vers=3,proto=udp,nodev,nosuid
        account         = false

Mount all filesystems

• mount -a

Resize filesystems

The default filesystems do not get much space, so it's necessary to resize them. In the table below you can see the defaults on an freshly installed system.

Filesystem	Default (5.3)	Default (6.1)	Preferred
/	32 MB	128 MB	2048 MB
/tmp	64 MB	64 MB	1024 MB
/var	32 MB	32 MB	1024 MB
/usr	928 MB	1536 MB	4096 MB
/opt	64 MB	96 MB	10240 MB
/home	32 MB	32 MB	512 MB
/var/adm/ras/platform	832 MB	n.a.	n.a.
/admin	n.a.	128 MB	n.a.
Total	1984 MB	2016 MB	18944 MB

Change the sizes of the filesystems with these commands:

• /usr/sbin/chfs -a size=4194304 /
• /usr/sbin/chfs -a size=2097152 /tmp
• /usr/sbin/chfs -a size=2097152 /var
• /usr/sbin/chfs -a size=8388608 /usr
• /usr/sbin/chfs -a size=20971520 /opt
• /usr/sbin/chfs -a size=1048576 /home

On newer versions of AIX you can adjust the sizes as well in, for example MB:

• /usr/sbin/chfs -a size=2048M /

The size and available free space on filesystems is viewable with this command:

• df -m

MOTD

Change the MOTD to your company welcome and or information banner:

*******************************************************************************
*                                                                             *
*  Welcome to                                     *
*                                                                             *
*******************************************************************************

Where:
= Your company
= Develop, Testing, Acceptance, Production or FailOver Production
= Name

AIX Limitations

SWAP

The swap space by default is 512 MB and should be set to 4096 MB.

bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active  Auto  Type
hd6             hdisk1            rootvg         512MB     3   yes   yes    lv
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active  Auto  Type
hd6             hdisk1            rootvg        4096MB     1   yes   yes    lv

Note that the added Physical Partitions is dependent on the PP size, which was 32 MB.

Large files

By default, users are not allowed to use big files, which is not useful for root. Edit the limits file to adjust these settings.

• vi /etc/security/limits

And change roots settings:

default:
        fsize = 2097151
        core = 2097151
        cpu = -1
        data = 262144
        rss = 65536
        stack = 65536
        nofiles = 2000

root:
        fsize = -1
        data = -1
        stack = -1

Explanation:

fsize	Identifies the soft limit for the largest file a user's process can create or extend.
core	Specifies the soft limit for the largest core file a user's process can create.
cpu	Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use.
data	Identifies the soft limit for the largest process data segment for a user's process.
stack	Specifies the soft limit for the largest process stack segment for a user's process.
rss	Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system.
nofiles	Sets the soft limit for the number of file descriptors a user process may have open at one time.

Increase parameter list

When copying a large amount of files or when scripting the parameter list of a command can become too large. To avoid the error:

The parameter list is too long.

adjust the ARG/ENV setting using smitty:

• System Environments
  • Change / Show Characteristics of Operating System
    • ARG/ENV list size in 4K byte blocks

Change this setting to 20 (80k). Be careful, setting this value too high may constrain system memory resources.

AIX Security

Login.cfg

Intruder lockout settings

The intruder lockout settings are set in login.cfg file and determined by these options:

* logindelay    The delay (in seconds) between unsuccessful login attempts.
*               This delay is multiplied by the number of unsuccessful logins -
*               i.e. if the value is 2, then the delay between unsuccessful
*               logins will be 2 seconds, then 4 seconds, then 6 seconds, etc.
*               Set this attribute to 0 to disable this feature.
*
* logindisable  The number of unsuccessful login attempts before this port is
*               locked.  Used in conjunction with logininterval.  Set this
*               attribute to 0 to disable this feature.
*
* logininterval The number of seconds during which logindisable unsuccessful
*               login attempts must occur for a port to be locked.
*
* loginreenable The number of minutes after a port is locked that it will be
*               automatically unlocked.  Setting this attribute to 0 will cause
*               the port to remain locked until the administrator unlocks it.

So,

• vi /etc/security/login.cfg

And go the “default” section and edit the settings according to:

default:
        sak_enabled = false
        logintimes =
        logindisable = 4
        logininterval = 60
        loginreenable = 30
        logindelay = 5

Add bash to valid shells

• vi /etc/security/login.cfg

And go to the “Other security attributes” part and add /bin/bash and /usr/bin/bash:

*******************************************************************************
*
* Other security attributes (usw stanza):
*
* shells        The list of valid login shells for a user; chuser and chsh will
*               only change a user's login shell to one of the shells listed
*               here.
*
* maxlogins     The maximum number of simultaneous logins allowed on the
*               system.
*
* logintimeout  The number of seconds the user is given to enter their
*               password.
*
* auth_type     Determines whether PAM or the standard UNIX authentication
*               mechanism will be used by PAM-aware applications.
*               Valid values: STD_AUTH, PAM_AUTH
*
*******************************************************************************

usw:
        shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/k
sh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd,
/bin/bash,/usr/bin/bash
        maxlogins = 32767
        logintimeout = 60
        auth_type = STD_AUTH

User

Edit the file below and go to the “default” section to edit the new user default settings:

• vi /etc/security/user

default:
        admin = false
        login = false
        su = false
        daemon = true
        rlogin = true
        sugroups =
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 4
        account_locked = false
        loginretries = 3
        histexpire = 0
        histsize = 24
        minage = 1
        maxage = 13
        maxexpired = -1
        minalpha = 5
        minother = 3
        minlen = 8
        mindiff = 3
        maxrepeats = 3
        dictionlist =
        pwdchecks =

If you have accounts which may never expire (like service accounts) configure them like this:
Also set the allora and allmondb accounts so they won't expire:

monitor:
        admin = false
        login = true
        expires = 0

backup:
        admin = false
        rlogin = true
        expires = 0

Profile

Set the default automatic logout in the /etc/profile file:

• vi /etc/profile

# @(#)27        1.20  src/bos/etc/profile/profile, cmdsh, bos530 8/9/94 12:01:38
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos530 src/bos/etc/profile/profile 1.20
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1994
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
# COMPONENT_NAME: (CMDSH) Shell related commands
#
# FUNCTIONS:
#
# ORIGINS: 3, 26, 27
#
# (C) COPYRIGHT International Business Machines Corp. 1989, 1994
# All Rights Reserved
# Licensed Materials - Property of IBM
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
################################################################

# System wide profile.  All variables set here may be overridden by
# a user's personal .profile file in their $HOME directory.  However,
# all commands here will be executed at login regardless.

trap "" 1 2 3
readonly LOGNAME

# Automatic logout, include in export line if uncommented
TMOUT=600

# The MAILMSG will be printed by the shell every MAILCHECK seconds
# (default 600) if there is mail in the MAIL system mailbox.
MAIL=/usr/spool/mail/$LOGNAME
MAILMSG="[YOU HAVE NEW MAIL]"

# If termdef command returns terminal type (i.e. a non NULL value),
# set TERM to the returned value, else set TERM to default lft.
TERM_DEFAULT=lft
TERM=`termdef`
TERM=${TERM:-$TERM_DEFAULT}

# If LC_MESSAGES is set to "C@lft" and TERM is not set to "lft",
# unset LC_MESSAGES.
if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ]
then
        unset LC_MESSAGES
fi

export LOGNAME MAIL MAILMSG TERM TMOUT

trap 1 2 3

N.B. Uncomment (and change) the TMOUT line and add it to export line!

Sendmail Privacy

Edit the /etc/sendmail.cfg file:

# privacy flags
O PrivacyOptions=goaway

See Sendmail Security Quick Fixes for more information about sendmail security.

Don't forget to restart sendmail afterwards.

Prevent buffer overflow in chsh

Change permissions for /usr/bin/chsh:

chmod 500 chsh

Additional security

Throughout this document there are other security settings applied. Of course the root settings and the ssh settings.

AIX Performance

Study the settings below to see if they are applicable for you. Before applying them, please test these settings yourself. I've tested these settings on brand new, superfast JS22 blades, with maximum memory and CPU, and the disks are on a SAN, with a queue_depth of 8. You should make your own tests, to see what your bottlenecks are.

No TCP Acknowledgement delay

By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this setting issue:

bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file

See here for more information about the setting.
See here for more information about the no command.

Test results

Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818

N.B. Partly 100 Mb network, different subnets, done with WinSCP

Copy	Baseline default settings	tcp_nodelayack=1
12000 files (21,8 MB)	19:47 minutes	0:52 minutes
500 files (87,5 MB)	0:39 minutes	0:28 minutes
2 files (635 MB)	03:07 minutes	03:04 minutes

Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818

N.B. 1 Gb network, different subnets, done with scp

Copy	Baseline default settings	tcp_nodelayack=1
12000 files (21,8 MB)	0:24 minutes	0:20 minutes
500 files (87,5 MB)	0:07 minutes	0:10 minutes
2 files (635 MB)	0:28 minutes	0:49 minutes

And now back:

Copy	Baseline default settings	tcp_nodelayack=1
12000 files (21,8 MB)	0:25 minutes	0:26 minutes
500 files (87,5 MB)	0:09 minutes	0:09 minutes
2 files (635 MB)	0:48 minutes	0:46 minutes

Conclusion

This setting really speeds up communication between Windows and AIX, but hardly does anything when between AIX boxes, it can even decrease network communication.

File System Direct IO

This should speed filesystem io up and to set it mount the filesystem with an additional option:

mount -i dio /mountpoint

Test results

Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818

N.B. Partly 100 Mb network, different subnets, done with WinSCP

Copy	Baseline default settings	filesystem dio	filesystem dio, tcp_nodelayack=1
12000 files (21,8 MB)	19:47 minutes	19:49 minutes	0:59 minutes
2 files (635 MB)	03:07 minutes	03:01 minutes	03:02 minutes

Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818

N.B. 1 Gb network, different subnets, done with scp

Copy	Baseline default settings	filesystem dio	filesystem dio, tcp_nodelayack=1
12000 files (21,8 MB)	0:24 minutes	0:32 minutes	0:27 minutes
2 files (635 MB)	0:28 minutes	0:59 minutes	4:30 minutes

Conclusion

This setting really slows down communication between AIX boxes, so I stopped the tests.

TCP Buffers

These settings should increase network performance as well. Some of these setting need new sessions and some even a reboot, so be careful you handle your test well:

/usr/sbin/no -p -o sb_max=6192000
/usr/sbin/no -p -o tcp_sendspace=4096000
/usr/sbin/no -p -o tcp_recvspace=4096000
/usr/sbin/no -p -o udp_sendspace=65536
/usr/sbin/no -p -o udp_recvspace=655360
/usr/sbin/no -p -o rfc1323=1
/usr/sbin/no -p -o ipqmaxlen=150
/usr/sbin/no -p -o clean_partial_conns=true

Test results

Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818

N.B. Partly 100 Mb network, different subnets, done with WinSCP

Copy	Baseline default settings	tcp buffers	tcp buffers, tcp_nodelayack=1
12000 files (21,8 MB)	19:47 minutes	19:55 minutes	0:59 minutes
500 files (87,5 MB)	0:39 minutes	0:38 minutes	0:28 minutes
2 files (635 MB)	03:07 minutes	03:00 minutes	03:06 minutes

Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818

N.B. 1 Gb network, different subnets, done with scp

Copy	Baseline default settings	tcp buffers	tcp buffers, tcp_nodelayack=1
12000 files (21,8 MB)	0:24 minutes	0:24 minutes	0:20 minutes
500 files (87,5 MB)	0:07 minutes	0:08 minutes	0:14 minutes
2 files (635 MB)	0:28 minutes	0:45 minutes	1:00 minutes

Conclusion

This setting increases network speed between Windows and AIX, but decreases network speed for large files between AIX boxes.

Queue_Depth

For some disks it could be nice to set a higher queue_depth (default = 1). For the procedure to change, seechange_disk_properties_of_disks_in_use.

Test results

Copy from Windows XP SP3 (default installation) to AIX 5300-06-07-0818

N.B. Partly 100 Mb network, different subnets, done with WinSCP

Copy	Baseline default settings	queue_depth=8
12000 files (21,8 MB)	19:58 minutes	19:47 minutes
2 files (635 MB)	02:59 minutes	03:07 minutes

Copy from AIX 5300-06-07-0818 to AIX 5300-06-07-0818

N.B. 1 Gb network, different subnets, done with scp

Copy	Baseline default settings	queue_depth=8	queue_depth=64
12000 files (21,8 MB)	0:26 minutes	0:24 minutes	0:24 minutes
2 files (635 MB)	0:29 minutes	0:28 minutes	0:26 minutes

Conclusion

It's really hard to draw a conclusion here. There is some performance increasing here, but… how higher you set the queue_depths, how higher the risk on data corruption. For database boxes, most vendors advice to not go above a queue_depth of 8, so that would be my suggestion here.

Additional Software

SSH

SSH and SSL Installation

Before SSH can be installed make sure you have SSL installed.

• uncompress openssl.9.8.802.tar.Z
• tar -xf openssl.9.8.802.tar
• smit
  • Software Installation and Maintenance
  • Install and Update Software
  • Install Software
  • Issue an ”.” to search in the current directory for software.

Select the software with first F4 to get a list, and F7 to select the software from the list. Don't forget to accept the license agreement (also F4, last option).

You can download the latest openssh version here.

SSH X11 forwarding

X11 forwarding on AIX consists of several steps. First you'll have to change some settings on the AIX box, then do some things on your local workstation, and then of course, you'll have to test it.

Change the sshd_config file

Note: there are also changed settings for security purposes

• vi /etc/ssh/sshd_config and change the file according to:

#       $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
XauthLocation /usr/bin/X11/xauth
# no default banner path
Banner /etc/secure_banner

# override default of no subsystems
Subsystem       sftp    /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Change the ssh_config file

• vi /etc/ssh/ssh_config and change the file according to:

#       $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
ForwardX11 yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
ConnectTimeout 30
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
Protocol 2
Cipher blowfish
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no

Restart the ssh daemon

Stop and start Ssshd 

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

Don't forget to exit your current session, and login again!

Adjustments to your local desktop

Install a X-server and enable X11 forwarding in your SSH client. See CygWin - X op Windows for cywin and putty as client.

Test it

Log in and issue the command:

• xclock

If a little clock appears on your screen it works! If not, try to set the DISPLAY variable:

• export DISPLAY=:0.0

SSH X11 forwarding and SU

X authentication is based on cookies, secret little pieces of random data that only you and the X server know. So, when you su the user you su to need to know the cookie. To do so request your cookies and your display setting before you su:

>xauth list
server1.company.local/unix:10  MIT-MAGIC-COOKIE-1  1c64ce9c5e07154d4403bf8b919635f2
server2.company.local/unix:10  MIT-MAGIC-COOKIE-1  0d219bf6b6b4ed805ad51b17f71d2e38
>echo $DISPLAY
localhost:10.0

Now su, and import the cookie configuration and the DISPLAY variable:

>su - oracle
oracle's Password:

>xauth add server2.company.local/unix:10  MIT-MAGIC-COOKIE-1  0d219bf6b6b4ed805ad51b17f71d2e38
>export DISPLAY=localhost:10.0

RPMs

IBM RPM download ftp site

Before you can install RPMs you'll need the Redhat Package Manager. Install the rpm.rte in the same way as SSL and SSH.

This is the list of rpms that are currently being installed:

rpm	explanation
bash	shell
gcc	C compiler
less	command to pipe output to, a bit more advanced than more
lsof	lists open files
sudo	switch user for one command

RPMs are installed through this command:

• rpm -vi *.rpm

SUDO

For the sudo RPM, change the config file using the “visudo” command:

• bash-3.2# visudo

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root    ALL=(ALL) ALL
allmonxx     ALL = NOPASSWD: /usr/bin/svmon

%tsmgroup    ALL = NOPASSWD: /usr/tivoli/tsm/client/ba/bin/dsmc, /usr/tivoli/tsm/client/ba/bin/dsmcad, /usr/tivoli/tsm.sh

Tar

Install newer version (version 1.21 or higher) from the tar command in order to create bigger tar archives (important for oracle rman backup archives)

bash-3.2# ls
tar-1.22.tar.gz
bash-3.2# gunzip tar-1.22.tar.gz
bash-3.2# tar -xf tar-1.22.tar
bash-3.2# ls
tar-1.22      tar-1.22.tar
bash-3.2# cd tar-1.22
bash-3.2# ls
ABOUT-NLS     ChangeLog.1   NEWS          TODO          configure     m4            src
AUTHORS       INSTALL       PORTS         aclocal.m4    configure.ac  po            tests
COPYING       Makefile.am   README        build-aux     doc           rmt
ChangeLog     Makefile.in   THANKS        config.hin    lib           scripts
bash-3.2# ./configure
bash-3.2# make
bash-3.2# make install

The new tar command is installed in /usr/local/bin

Unnecessary software

Software that is unnecessary:

• Alternate Disk Installation:
  • bos.alt_disk_install.boot_i
  • bos.alt_disk_install.rte
• Cluster Systems Management:
  • csm.client
  • csm.core
  • csm.deploy
  • csm.diagnostics
  • csm.dsh
  • csm.gui.dcem
• Sensor Resource Manager:
  • rsct.core.gui
  • rsct.core.lprm
  • rsct.core.sensorrm

Not sure yet:
According to KPMG security, but still figuring out why…

• AIX Security Hardening:
  • bos.aixpert.cmds
  • bos.aixpert.websm

Monitoring

Set the password for the allmon user to

• passwd allmonxx

Remove the ADMCHG attribute from the user:

• vi /etc/security/passwd

Test the login and run svmon:

login as: allmonxx
allmonxx@10.10.10.11's password:
1 unsuccessful login attempt since last login.
Last unsuccessful login: Thu Jun 18 15:59:11 2009 on ssh from 10.10.10.10
Last login: Thu Jun 18 10:53:32 2009 on /dev/pts/2 from 10.10.10.10
*******************************************************************************
*                                                                             *
*  Welcome to company production dbnode                                       *
*                                                                             *
*******************************************************************************
1356-364 /usr/bin/X11/xauth:  creating new authority file /home/allmonxx/.Xauthority
$ sudo /usr/bin/svmon
               size      inuse       free        pin    virtual
memory      8093696    7598696     495000     572834    1111159
pg space     131072       3519

               work       pers       clnt
pin          572834          0          0
in use      1110433          0    6488263

PageSize   PoolSize      inuse       pgsp        pin    virtual
s   4 KB          -    7491688       3519     495314    1004151
m  64 KB          -       6688          0       4845       6688
$

Backup

See here for a TSM AIX Client install Extra dependencies needed:

• xlC.rte
• xlC.aix50.rte

Both are included with the backupsoftware but have to be selected explicitly.

Additional Oracle configuration

In case the AIX server is going to run Oracle there are a few more requirements. Although most of them are described here, this isthe official Oracle documentation.

Required filesets

Operating system filesets: The following operating system filesets are required:

• bos.adt.base
• bos.adt.lib
• bos.adt.libm
• bos.perf.libperfstat
• bos.perf.perfstat
• bos.perf.proctools
• xlC.aix50.rte:7.0.0.4 or later
• xlC.rte:7.0.0.1 or later

bash-3.2# lslpp -l bos.adt.base bos.adt.lib bos.adt.libm bos.perf.libperfstat bos.perf.perfstat bos.perf.proctools xlC.aix50.rte xlC.rte
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.adt.base              5.3.0.62  COMMITTED  Base Application Development
                                                 Toolkit
  bos.adt.lib               5.3.0.61  COMMITTED  Base Application Development
                                                 Libraries
  bos.adt.libm              5.3.0.61  APPLIED    Base Application Development
                                                 Math Library
  bos.perf.libperfstat      5.3.0.61  COMMITTED  Performance Statistics Library
                                                 Interface
  bos.perf.perfstat         5.3.0.62  COMMITTED  Performance Statistics
                                                 Interface
  bos.perf.proctools        5.3.0.63  COMMITTED  Proc Filesystem Tools
  xlC.aix50.rte              8.0.0.0  COMMITTED  C Set ++ Runtime for AIX 5.0
  xlC.rte                    8.0.0.0  COMMITTED  C Set ++ Runtime

Path: /etc/objrepos
  bos.perf.libperfstat      5.3.0.50  COMMITTED  Performance Statistics Library
                                                 Interface
  bos.perf.perfstat         5.3.0.62  COMMITTED  Performance Statistics
                                                 Interface

Memory config

To adjust the settings to provide better performance when running oracle, run this commmand:

vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o lru_file_repage=0

See AIX Memory for the explanation of these settings.

Hdisk properties

Also for Oracle in combination with iqstor SAN you'll have to change the queue_depth settings:

Current disks:
bash-3.2# lspv
hdisk1          000131facfbfbd5b                    rootvg          active
hdisk2          none                                None

Added disks:
bash-3.2# cfgmgr
bash-3.2# lspv
hdisk1          000131facfbfbd5b                    rootvg          active
hdisk2          none                                None
hdisk3          none                                None
hdisk4          none                                None

Current properties:
bash-3.2# lsattr -El hdisk3
clr_q         no                 Device CLEARS its Queue on error True
location                         Location Label                   True
lun_id        0x1000000000000    Logical Unit Number ID           False
max_transfer  0x40000            Maximum TRANSFER Size            True
node_name     0x290000092b27a231 FC Node Name                     False
pvid          none               Physical volume identifier       False
q_err         yes                Use QERR bit                     True
q_type        simple             Queuing TYPE                     True
queue_depth   1                  Queue DEPTH                      True
reassign_to   120                REASSIGN time out value          True
rw_timeout    30                 READ/WRITE time out value        True
scsi_id       0x10f00            SCSI ID                          False
start_timeout 60                 START unit time out value        True
ww_name       0x290000092b27a231 FC World Wide Name               False

Queue depth adjustment:
bash-3.2# chdev -l hdisk3 -a queue_depth=8
hdisk3 changed

New properties:
bash-3.2# lsattr -El hdisk3
clr_q         no                 Device CLEARS its Queue on error True
location                         Location Label                   True
lun_id        0x1000000000000    Logical Unit Number ID           False
max_transfer  0x40000            Maximum TRANSFER Size            True
node_name     0x290000092b27a231 FC Node Name                     False
pvid          none               Physical volume identifier       False
q_err         yes                Use QERR bit                     True
q_type        simple             Queuing TYPE                     True
queue_depth   8                 Queue DEPTH                      True
reassign_to   120                REASSIGN time out value          True
rw_timeout    30                 READ/WRITE time out value        True
scsi_id       0x10f00            SCSI ID                          False
start_timeout 60                 START unit time out value        True
ww_name       0x290000092b27a231 FC World Wide Name               False
bash-3.2#

After changing the queue depth you can create volume groups and filesystems. See AIX Storage (dutch) for more information on how to do that.