Aix Practices: 2011

Wednesday, November 16, 2011

Creating a Self signed Certificate for IBM HTTP Server

The process to generate the self Signed certificate for IBM HTTP Server 6.1.

Considering you are enabling one Web site for SSL, and the hostname is the same as the one already defined in the Global Scope for non-SSL (port 80), you can enable SSL as follows.

1. Check you http website is working with either using IP address or using url or both on Port 80 as shown below:-

say http://x.x.x.x or http://abc123.com

Check Http processes are running.

2. Just for sake check if https for same Ip address or url is working at port 443 or not.

This is what we have to achieve to get working same URL access using the HTTPS via self signed certificate

3. Check Https and 443 port are defined in /etc/services.

# cat /etc/services |grep -i 443 |grep -i https
https 443/tcp # http protocol over TLS/SSL
https 443/udp # http protocol over TLS/SSL

4. Check GSK v7 for Http 6.1 is installed or not

# lslpp -l |grep -i gsk

# cd /usr/opt/ibm

ksh: /usr/opt/ibm: not found.

5. Install GSK v7 for Http6.1

IBM HTTP Server V6.1 releases
*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)

# lslpp -l |grep -i gsk

gskjs.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java

gskjt.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Java

gsksa.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Base

gskta.rte 7.0.3.18 COMMITTED AIX Certificate and SSL Base

# cd /usr/opt/ibm
# ls -ltr
total 0
drwxr-xr-x    8 root     system          256 Nov 15 11:11 gsksa
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjt
drwxr-xr-x    7 root     system          256 Nov 15 11:12 gskjs
drwxr-xr-x    8 root     system          256 Nov 15 11:14 gskta
#

Please apply the latest fix packs do for proper functioning.

# lslpp -l |grep -i gsk
gskjs.rte                 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gskjt.rte                 7.0.3.18 COMMITTED AIX Certificate and SSL Java
gsksa.rte                 7.0.3.18 COMMITTED AIX Certificate and SSL Base
gskta.rte                 7.0.3.20 COMMITTED AIX Certificate and SSL Base
#

6. Now stop and start Http services.

      # pwd
     /usr/IBM/HTTPServer/bin
     #./stopapa

# ./startapa

7. Check GUI interface working on AIX server , using xclock & xmanager. Install key for ssl as shown below:-

# cd /usr/IBM/HTTPServer/bin

# ./ikeyman

( ket database --> CMS, File name --> key.kdb, Loctaion --> /usr/IBM/HTTPServer/bin )

Select the checkbox Stash the password to a file? This encrypts the password and saves the file as a .sth file in the same directory as the key database file.

Say password is :- xyzabc123

Click OK

   Key Files have been created as shown
           # pwd
              /usr/IBM/HTTPServer/bin
           #
           # ls -ltr key*
              -rw-r--r--    1 root     system          129 Nov 15 11:36 key.sth
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.rdb
              -rw-r--r--    1 root     system       115080 Nov 15 12:36 key.kdb
              -rw-r--r--    1 root     system           80 Nov 15 12:36 key.crl
           #

8. Now we need to create the self signed certificate for which we dont need to have authentication from CA or Verisign.

Click on self signed certificate to generate the certificate:-

Key Label= (The name you want to give the certificate to identify it in IKEYMAN)

Say key label :- www.hostname.com or ur url

Note: Using the SiteName (for example, www.robo.com) as the label is a good practice.

Not able to generate 2048 bit key

Rename or move the gskikm.jar file from its default location

# pwd

/usr/IBM/HTTPServer/bin

As done below:-

# pwd

/usr/IBM/HTTPServer/java/jre/lib/ext

# mkdir gskfiles

# mv gskikm.jar /usr/IBM/HTTPServer/java/jre/lib/ext/gskfiles/gskikm.jar_backup_orignal

Now re-run ikeyman from GUI. If still you didn't get the 2048 bit key option look for latest patches for Java and GSK. Since I was just testing on a box so I didn't take pain to fix this. For more refer to IBM Link

http://www-01.ibm.com/support/docview.wss?uid=swg21307574

Number of day I have taken 10 years i.e 3650 days and Click OK

We don't need to receive and extract the certificate as it self signed or unless it is required.

9. Enable SSL directives within the IBM HTTP Server's configuration file (httpd.conf):-

For releases of IBM HTTP Server v2.0, v6.0 and v6.1: We need to load the below module in httpd.conf file

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

# cd /usr/IBM/HTTPServer/conf
# ls -ltr httpd.conf
-rw-r--r-- 1 root system 32974 Nov 17 10:11 httpd.conf
# more httpd.conf|grep mod_ibm_ssl.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
#

Now do the below entries in httpd.conf file below Listen Port 40

ServerName www.XYABC.com ---> If you are using the URL and defined DNS name for the web,

else no need to define you are accessing via IP

Listen 443

SSLEnable

SSLClientAuth None

</VirtualHost>

SSLDisable

KeyFile "/usr/IBM/HTTPServer/bin/key.kdb"

SSLV2Timeout 100

SSLV3Timeout 1000

10. Now open the browser and open the links both using https and http. DONE :)

Done!

11. For more info and configuration refer to IBM link

https://www-304.ibm.com/support/docview.wss?uid=swg21179559#step3

*****Note you must a DNS or local pc host file defined if you are using the Name server

Sunday, November 6, 2011

Taking Backup of Datavg on running Aix System / FAST backup of datavg

How to clone data VG & restore to other system without downtime/fast clone. ( Well tested)

How to take backup of running system if application availability is high priority and offline backup takes near 5-8 hrs to get completed.

========================================================================
Map the hdisky or lun to both the system

On system1:-

lspv

cfgmgr ** to get new hdiskY/lun

Now Extendvg

extendvg vgname hdisky/lun

******if you are unable to extendvg due to Max pp limitation then change the Vg properties.

chvg -t 2|3|4 (etc) vgname

extendvg vgname hdiskY

mirrorvg vgname hdiskY

lsvg -l vgname * check all fs are syncd and consistent, else wait to get it consistent.

Freeze the Filesystems to keep the consistency and to clear the chace so that all data will be written on disk.

chfs -a freeze=120 filesystem_names ( all filesystem of that VG and application )

This will freeze the filesystem no I/O will be happen. Users will get the application hanging issue for 2 mins but these 2 mins will be enough for you to split the consistent VG.

Now split the VG

splitvg -y new_vgname -c 2 -i old_vgname ( -i is used so that hdiskY cant join the vg again and lv/fs remain consistent, else if you need the hdisk to rejoin the vg then dont use -i , -c 2 is to separate the second copy of lv i.e hdiskY)

Activate or thawn the filesystems:- Now activate the filesystems to be accessed by the application and Users.

chfs -a freeze= 0 filesystem_names ( fielsystems whch were made frozen above)

Now you have only taken or say frozen the application for 2 -3 mins and you can take the backup of the consistent datavg as shown below:-

varyoffvg new_vgname

exportvg new_vgname

rmdev -Rdl hdiskY
=======================
ON System 2 or TSM

Then map same hdiskY/lun to different system if you have not done earlier

lpsv

cfgmgr

lspv

importvg -y vgname( name you like to put) hdiskY

cp -p /etc/filesystems /etc/filesystems_copy

edit /etc/filesystems remove unwanted prefix like /fs/fs etc
mount all

check VG doesn’t have any stale Lv.

Check files and application.

Remove mapping of hdisky/lun from system1.

Mount the filesystems

Take the backup on TSM for consistent datavg with the down time of 2-3 mins only on actual host and user will now keep on accessing the server or run the application as cloned server if your mksysb is also cloned on the target server.

That its.

Done!
=========================================================================

Extra using script to change lv or fs prefix if you want or else u can do it in /etc/filesystems file as I tested that also as stated above:-

the filesystems still have the "/fs/fs" prefix. So, a quick and dirty script cleans that up:

for fs in `lsvg -l datavg | grep fs | awk '{ print $7 }' | cut -d'/' -f 4-`
do
chfs -m /$fs /fs/fs/$fs ****chfs -m newmount oldmount******
done

And, the LVs still have the "fs" prefix, I could leave them, but my OCD won't let me:

for fs in `lsvg -l datavg | grep fs | awk '{ print $1 }' | cut -d's' -f 2-`
do
chlv -n $fs fs$fs
done

Then I used "mount -a" to mount all the filesystems.

Monday, October 24, 2011

How to configure NPIV (N_Port ID Virtualization)

Step By Step NPIV configuration

For maximum redundancy for the paths create the instance on dual VIOS. We will consider an scenario having Power6/7 Server, with 2 PCI Dual/Single port 8 GB Fibre Card with VIOS level – 2,2 FP24 installed and VIOS is in shutdown state.

First we need to create Virtual fibre channel adapter on each VIOS which we will later on map to physical fibre adapter after logging into VIOS similarly as we do for Ethernet

Please Note: - Create the all lpar clients as per requirements and then configure the Virtual fiber adapter on VIOS. Since we are mapping one single physical fiber adapter to different hosts, hence we need to create that many virtual fiber channel adapter. Dynamically virtual fiber channel adapter can be created but don’t forget to add in profile else you lost the config on power-off.

1. 1. Create Virtual fibre channel adapter on both VIOS server.

HMC--> Managed System-->Manage Profile-->Virtual Adapter

Let say I have define the virtual fiber adapter for AIX client Netwqa with adapter ids 33 & client adapter id 33

Similarly on Vios2 for multipath redundancy:-

If you have any more LPARs which you want to configure for NPIV, repeat the above mentioned steps with those LPAR details.

2. Mapping defined virtual fiber channel adapter to Physical HBA ports

Now activate VIOS Lpar. Logon to VIOS server and check the status of physical Fibre channel port. Or if Vios are already running then run cfgmgr or config manager to get the defined virtual FC adapter on Vios servers.

$ lsnports

Name physloc fabric tports aports swwpns awwpns

fcs0 U5802.001.008A824-P1-C9-T1 0 64 64 2048 2048

fcs1 U5802.001.008A824-P1-C9-T2 0 64 64 2048 2048

fcs2 U5877.001. 0083832-P1-C9-T1 0 64 64 2048 2048

fcs3 U5877.001.0083832-P1-C9-T2 0 64 64 2048 2048

If the value for the ‘fabric’ parameter shows as ‘0’ that means that HBA port is not connected to a SAN switch supporting the NPIV feature. Please connect fibre cable between Physical fibre channel adapter and San switches. If the value for the ‘fabric’ parameter shows as ‘1’ that means that HBA port is connected to a SAN switch supporting the NPIV feature

Above commands displays

Name:- Display Name and

physloc :- location of physical adapter.

aports:- Display number of available physical ports (aports)

awwpns:- Display total numbers of WWPNs that physical port support.

After connecting fibre channel cable, execute lsnport again you should get fabric=1

$ lsnports

Name physloc fabric tports aports swwpns awwpns

fcs0 U5802.001.008A824-P1-C9-T1 1 64 64 2048 2048

fcs1 U5802.001.008A824-P1-C9-T2 1 64 64 2048 2048

fcs2 U5877.001. 0083832-P1-C9-T1 1 64 64 2048 2048

fcs3 U5877.001.0083832-P1-C9-T2 1 64 64 2048 2048

Run the ‘lsdev –vpd | grep vfchost’ command to know which device represents the Virtual FC adapter on any specific slot. Or run`lsmap -npiv –all`to list number of FC adapter and their mapping to physical adapter

Here we are interested in vfchost2 as I am showing the example for connecting vfchost2.

Check Status and Flags:-

Status:LOGGED_IN, Flags: a<LOGGED_IN,STRIP_MERGE>

-> The vfchost adapter is mapped to a physical adapter, and the associated client is up and running.

Status: NOT_LOGGED_IN, Flags:1<NOT_MAPPED,NOT_CONNECTED>

-> The vfchost adapter is not mapped to a physical adapter

Status: NOT_LOGGED_IN, Flags:4<NOT_LOGGED>

-> The vfchost adapter is mapped to a physical adapter, but the associated client is not running. If you suspect a problem, check for VFC_HOST errors.

ClntName:- will only be displayed when your mapped vio client is booted and running state.

ClntOS : Name will only be displayed when your mapped vio client is booted and running state

Now we need to map the device ‘vfchost2’ to the physical HBA port ‘fcs1’ using the ‘vfcmap -vadapter vfchost2 -fcp fcs1’command. Once it is mapped, check the status of the mapping using the command ‘lsmap -vadapter vfchost2 -npiv’. Please note that the status of the port is showing as ‘NOT_LOGGED_IN’, this is because the client configuration is not yet complete and hence it cannot login to the fabric.

$ vfcmap -vadapter vfchost2 -fcp fcs1

List the adapter using below ` lsmap –vadapter vfchost2 –npiv`.

Since Aix client is not configured and mapped that’s why status is not Logged_IN, it will not display the ClntName and ClntOS along with VFC client name and DRC

Repeat the above mentioned steps in the second VIOS LPAR also. If you have more client LPARs, repeat the steps for all those LPARs in both the VIOS LPARs.

3. .Aix Client Configuration

Create Virtual FC client adapter on Aix lpar by navigating HMC and below tabs:-

HMC à VIO Client (NETWQA) à manage ProfileàVirtual Adapterà Action à Create as

Create the second Virtual FC Client Adapter with the slot number details as shown in below figure. Make sure the slot numbers match with the slot numbers we have entered in the second VIOS LPAR while creating the Virtual FC Server Adapter.

Now activate the AIX LPAR and install AIX in it, note that the minimum version required to support the NPIV feature is AIX 5.3 TL9 or AIX 6.1 TL2. Once the AIX installation is complete, depending on the SAN Storage box, you need to install the necessary subsystem driver and configure it. If Aix is already running then issue `cfgmgr` command.

Install SDDPCM driver for multipathing depending upon the storage you have.

You can now check the status of the Virtual FC Server Adapter ports in both the VIOS to check whether the ports are successfully logged in to the SAN fabric.

VIOS2

4. Allocating San Storage:-

You can now assign the storage to the Aix lpar. Do proper zoning between san storage and wwpn of Aix client FC virtual adapter. Use below command to check the WWPN of virtual Fibre channel adapter on AIX client.

#lscfg -vpl fcs*

Or below commands as shown below:-

You can also get the wwpn number from AIX client profile through HMC as shown below:-

NOTE: When viewing the properties of the Virtual FC Client Adapter from the HMC, it will show two WWNs for each Virtual FC Client Adapter as shown above. The second WWN shown here is not used until there is a live migration activated on this LPAR through Live Partition Mobility. When a live migration happens for this LPAR, the new migrated hardware will be accessing SAN storage using the second WWN of the Virtual FC Client Adapter, so you have to make sure the second WWN is also configured in Zoning and Access Control.

Use lspath or pcmpath query adapter , ‘datapath query adapter’, ‘datapath query device’, ‘lsvpcfg’ , pcmpath query essmap etc commands to check the mutlipathing and hdisk configured properly.

It will show the output as shown below. You can see that there are 4 separate paths for the disk ‘hdisk2’ which is through two separate virtual FC adapters as I have connected my DS storage to fiber switch through 4 cables for each fiber card.

**Zoning on SAN Switch is out of scope for this document; if you want to know how to do zoning you can drop a comment or mail me.

Limitations:-

§ NPIV is only supported on 8Gb FC adapters on p6 hosts. The FC switch needs to support NPIV, but does not need to be 8 Gb (the 8 Gb adapter can negotiate down to 2 and 4 Gb).

§ Maximum number of 64 NPIV adapters per physical adapter (see lsnports)

§ 16 virtual fibre channel adapters per client

§ No support for IP over FC (FCNET)

§ Optical devices attached via virtual fibre channel are not supported at this time

Diagnostics no supported for virtual fibre channel adapters

Important NPIV Commands

$lsnports

Display information about physical ports on physical fibre ports

$lsmap –npiv –all

Display Virtual fibre channel adapter created in VIO Server and there status

$lsmap –npiv –vadapter vfchost0

Display attributes for virtual fibre channel adapter

$vfcmap –vadapter vfchost0 –fcp fcs0

Map virtual fibre adapter with physical fibre adapter

$ vfcmap –vadapter vfchost0 –fcp

Unmaps Virtual fibre channel adapter

$ portcfgnpivport ------ > On IBM brocade san switch

0 - Disable the NPIV capability on the port

1 - Enable the NPIV capability on the port

Usage :- $portcfgnpivport 10 1

Unable NPIV functionality on Port 10 of san switch

Also configure Fibre card to dyntrk = yes and fc_err_recov :fast_fail on Aix Lpar