Archive for 2011
Nagios Check_as400 PlugIn
Last edited by Shao-Pin, Cheng Taipei, Taiwan
-----------------------------------------------------------
Check_as400 was created for Nagios to monitor IBM System i.
Easy monitoring of all key indicators.
(optional 2 - Change Nagios user profile to EN)
The NAGIOS user profile has INLPGM parameter set to a CLP (MAINGBCL)
This is the MAINGBCL:
/*********************************************************************/
/* SERVER PROFILE FOR NAGIOS !!!!!!!!! */
/*********************************************************************/
PGM
CHGSYSLIBL LIB(QSYS2924)
RCLRSC
ENDPGM
This CLP change the language in English.
* Fixed WRKSYSSTS check problem on V7R3
Check_as400 Version: 1.4.4 <2017> 2017>
* Fixed CPUT problem on OS V7R2.
* Added check job temporary storage used. (Thanks, BIANCHI Xavier)
Check_as400 Version: 1.4.2_1 (2016/04/29)
* Added ITALIAN language. (Thanks to Riccardo Morandotti)
Check_as400 Version: 1.4.2 <2015 style="font-family: verdana, tahoma, sans-serif; font-size: 12px; line-height: 20.4px;"> (2015>2015/06/29)
* Added SSL connection option.
* Fixed username display in Login ERROR message.
* Fixed Log in failure on 10 character username.
Check_as400 Version: 1.3.0 : (2015/03/10)
* Modified check CJ for duplicate jobs, can specify job number for CRITICAL and WARNING value.
(Thanks to Frederic MOURAGUES)
Check_as400 Version: 1.2.8 :
* Added check for Number of file members.
(Thanks to Tim Vandegrift)
Check_as400 Version: 1.2.7 : ( 2013.08.29 )
* Added check for work with problems.
* Added check for top CPU used job.
The total processing unit time used by the job.
Check_as400 Version: 1.2.5 :
* Added check for Rocket iCluster. Node Status, Group Status, Switch Readines.
Check_as400 Version: 1.2.4 :
* Added French language definitions
* Fixed check CJ command && parse error.
* Fixed check OUTQ error with V6R1/V7R1. And can specify the library now.
-----------------------------------------------------------
Check_as400 was created for Nagios to monitor IBM System i.
Easy monitoring of all key indicators.
Nagios Exchange - Check_AS400
The following I have completed the development of options:
AJ = Number of active jobs in system.
CJ = Check to see if job is in the system.
CJS [status ] [noperm]
= Check to see if job is existing in Subsystem and has this status.
Job checking can be controlled by :
status = any other status goes to critical
noperm = don't go to critical if job is not in the system
NOTE: if JobStatus is set, it has highest Priority
JOBS = Number of jobs in system.
CJM = Check the temporary storage used of job.
JOBQ = Number of jobs in JOBQ.
CPU = CPU load.
CPUC = CPU load, Consider Current processing capacity. (CPU used * VP nums / cpuBase).
NOTE: Specify, EX: You want use 3 CPU only, but VP use more than 3.
CPUT = Top CPU used job. The total processing unit time used by the job
Specify job name, ex: *ALL or QZ* or QZDASOINIT
US = Percent free storage
ASP = Check ASP used
DISK = Check DISK Status.
DB = DB utilization. (Not available after V6R1)
DBFault = Pool DB/Non-DB Fault
LOGIN = Check if login completes.
MSG = Check for any unanswered messages on msg queue
Any unanswered messages causes warning status.
OUTQ = Check outq files, writer and status. No writer, or
status of 'HLD' causes warning status. This default
behavior can be modified with the following options:
nw = Don't go critical when no writer
ns = Don't warn if status is 'HLD'
nf = Ignore number of files in queue
NOTE: threshold values are used on number of files
SBS = Check if the subsystem is running.
NOTE: specify as library/subsystem
PRB = Check if the problem was identified.
---------- VISION MIMIX ----------
MIMIX = Check MIMIX Data Group Unprocessed Entry Count, Transfer definition, RJ link state.
---------- Rocket iCluster ----------
ICNODE = Check for any Inactive or Failed Node status.
ICGROUP = Check for any Inactive or Indoubt Group status.
ICSWTCHRDY = Check for multiple conditions for switch readiness.
-SSL
Use SSL connection.
-d
Be verbose (debug)
NOTE: Needs to be one of the first arguments to work
-D
Be verbose and dump screen outputs (debug)
NOTES: Needs to be one of the first arguments to work
When things are not working, use this flag, redirect the output to a file and send it to me!
Notes:
-CPU, DB and US threshold's are decimal, JOBS, JOBQ and OUTQ are integers.
======================================================================
* Modify your $NAGIOS_PATH/.as400 with the correct user and password.
* Modify chech_as400 with the correct java path.
* Set NAGIOS user profile Display sign-on information *NO
- CHGUSRPRF USRPRF(NAGIOS) DSPSGNINF(*NO)
Initial program to call . . . . *NONE
Initial menu . . . . . . . . . . MAIN
* Nagios user may need to use IBM default sign-on display file
Or change nagiso user to other subsystem description to use system default display file
a.Use the Change Subsystem Description (CHGSBSD) command.
b.Specify the display file on the SGNDSPF parameter. System default is QSYS/QDSIGNON
c.ADDWSE SBSD(SBSLIB/SBSD) WRKSTN(QPADEVxx*) AT(*SIGNON)
* Avoid the massive entries log
CHGJOBD JOBD(NAGIOSJOBD) LOG(4 00 *MSG)
* Use SSL connection
Must add CE to JAVA, for EX:
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85.x86_64/jre/lib/security/cacerts -storepass changeit -noprompt -alias xxxx_ce -file /xx/xxx/XXXX.cer
* If you upgrade cum-package, then plugin stop working
Releases affected, V6R1M0 and M1, V7.1 and V7.2 (with different ptfs)
Release 610 : MF58587
Release 611 : MF58588
Release 710 : MF58589
Release 720 : MF58590
* Apply LIC PTF MF59539 for i 7.1 *
* Apply LIC PTF MF59540 for i 7.2 *
This donation will help me provide everyone with greater content
(optional 1 - Support EN/FR/DE/IT)
CJ
CJS
= Check to see if job is existing in Subsystem and has this status.
Job checking can be controlled by :
status
noperm = don't go to critical if job is not in the system
NOTE: if JobStatus is set, it has highest Priority
JOBS = Number of jobs in system.
CJM = Check the temporary storage used of job.
JOBQ
CPU = CPU load.
CPUC
NOTE: Specify
CPUT
Specify job name, ex: *ALL or QZ* or QZDASOINIT
US = Percent free storage
ASP
DISK = Check DISK Status.
DB = DB utilization. (Not available after V6R1)
DBFault = Pool DB/Non-DB Fault
LOGIN = Check if login completes.
MSG
Any unanswered messages causes warning status.
OUTQ
status of 'HLD' causes warning status. This default
behavior can be modified with the following options:
nw = Don't go critical when no writer
ns = Don't warn if status is 'HLD'
nf = Ignore number of files in queue
NOTE: threshold values are used on number of files
SBS
NOTE: specify
PRB = Check if the problem was identified.
---------- VISION MIMIX ----------
MIMIX
---------- Rocket iCluster ----------
ICNODE = Check for any Inactive or Failed Node status.
ICGROUP = Check for any Inactive or Indoubt Group status.
ICSWTCHRDY
-SSL
Use SSL connection.
-d
Be verbose (debug)
NOTE: Needs to be one of the first arguments to work
-D
Be verbose and dump screen outputs (debug)
NOTES: Needs to be one of the first arguments to work
When things are not working, use this flag, redirect the output to a file and send it to me!
Notes:
-CPU, DB and US threshold's are decimal, JOBS, JOBQ and OUTQ are integers.
======================================================================
Install Note
======================================================================* Modify your $NAGIOS_PATH/.as400 with the correct user and password.
* Modify chech_as400 with the correct java path.
* Set NAGIOS user profile Display sign-on information *NO
- CHGUSRPRF USRPRF(NAGIOS) DSPSGNINF(*NO)
Initial program to call . . . . *NONE
Initial menu . . . . . . . . . . MAIN
* Nagios user may need to use IBM default sign-on display file
Or change nagiso user to other subsystem description to use system default display file
a.Use the Change Subsystem Description (CHGSBSD) command.
b.Specify the display file on the SGNDSPF parameter. System default is QSYS/QDSIGNON
c.ADDWSE SBSD(SBSLIB/SBSD) WRKSTN(QPADEVxx*) AT(*SIGNON)
CHGJOBD JOBD(NAGIOSJOBD) LOG(4 00 *MSG)
* Use SSL connection
Must add CE to JAVA, for EX:
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85.x86_64/jre/lib/security/cacerts -storepass changeit -noprompt -alias xxxx_ce -file /xx/xxx/XXXX.cer
* If you upgrade cum-package, then plugin stop working
Releases affected, V6R1M0 and M1, V7.1 and V7.2 (with different ptfs)
Release 610 : MF58587
Release 611 : MF58588
Release 710 : MF58589
Release 720 : MF58590
There is a PTF to resolve plugin stop working
* RECOMMENDATION: Apply LIC PTF MF59537 for i 6.1 *
* Apply LIC PTF MF59538 for i 6.1.1 * * RECOMMENDATION: Apply LIC PTF MF59537 for i 6.1 *
* Apply LIC PTF MF59539 for i 7.1 *
* Apply LIC PTF MF59540 for i 7.2 *
======================================================================
Help check_as400 - Click Sponsored Ads
======================================================================This donation will help me provide everyone with greater content
======================================================================
For different language
======================================================================(optional 1 - Support EN/FR/DE/IT)
1.If your system is running on another language than english, follow the steps below
# cd /usr/local/nagios/libexec/check_as400/Lang Source
2.Then copy the java class file of your language (EX:substitute french with your language)
# cp check_as400_lang_french.java ../check_as400_lang.java
# cp check_as400_lang_french.java ../check_as400_lang.java
3.Then compile it
# javac check_as400_lang.java
# javac check_as400_lang.java
(optional 2 - Change Nagios user profile to EN)
The NAGIOS user profile has INLPGM parameter set to a CLP (MAINGBCL)
This is the MAINGBCL:
/*********************************************************************/
/* SERVER PROFILE FOR NAGIOS !!!!!!!!! */
/*********************************************************************/
PGM
CHGSYSLIBL LIB(QSYS2924)
RCLRSC
ENDPGM
This CLP change the language in English.
======================================================================
Troubleshooting
======================================================================
Use -D (debug) option,
.For example
check_as400 -D -H x.x.x.x -v DISK > debug.log
======================================================================
Change log
======================================================================
Check_as400 Version: 1.5.1 <2019> 2019>* Fixed WRKSYSSTS check problem on V7R3
Check_as400 Version: 1.4.4 <2017> 2017>
* Fixed CPUT problem on OS V7R2.
* Added check job temporary storage used. (Thanks, BIANCHI Xavier)
Check_as400 Version: 1.4.2_1 (2016/04/29)
* Added ITALIAN language. (Thanks to Riccardo Morandotti)
Check_as400 Version: 1.4.2 <2015 style="font-family: verdana, tahoma, sans-serif; font-size: 12px; line-height: 20.4px;"> (2015>2015/06/29)
* Added SSL connection option.
* Fixed username display in Login ERROR message.
* Fixed Log in failure on 10 character username.
Check_as400 Version: 1.3.0 : (2015/03/10)
* Modified check CJ for duplicate jobs, can specify job number for CRITICAL and WARNING value.
Check_as400 Version: 1.2.9 :
* Fixed check MSG for LANG FR/GE string index out of range error. (Thanks to Frederic MOURAGUES)
Check_as400 Version: 1.2.8 :
* Added check for Number of file members.
(Thanks to Tim Vandegrift)
Check_as400 Version: 1.2.7 : ( 2013.08.29 )
* Added check for work with problems.
* Added check for top CPU used job.
The total processing unit time used by the job.
Check_as400 Version: 1.2.5 :
* Added check for Rocket iCluster. Node Status, Group Status, Switch Readines.
Check_as400 Version: 1.2.4 :
* Added French language definitions
* Fixed check CJ command && parse error.
* Fixed check OUTQ error with V6R1/V7R1. And can specify the library now.
CISA證照維持費
CISA要求認證後.需持續進修CPE學分,並且繳納證照續費,
每三年修滿120個學分,每年不得低於20學分.
加入會員及分會是最快獲的CPE的方式,
而非會員目前每年證照續費(CISA Fee)加收85美金.
2011 Basic Membership Dues 135.00 135.00
2011 142-Taiwan Chapter 50.00 50.00 (大陸香港分會是55美金)
2011 CISA Fee 40.00 40.00
一年需繳交 $225美金(約七千台幣),且每年約調5美金,
我國未更近一步像韓國或是美國法規上強制要求 執業需證照 的規範.
常造就有效證照數偏低的狀況.
深感在個人及制度上,我們都仍有許多待進步的空間,
以提高資訊相關方面的水準,與世界競爭.
每三年修滿120個學分,每年不得低於20學分.
加入會員及分會是最快獲的CPE的方式,
而非會員目前每年證照續費(CISA Fee)加收85美金.
2011 Basic Membership Dues 135.00 135.00
2011 142-Taiwan Chapter 50.00 50.00 (大陸香港分會是55美金)
2011 CISA Fee 40.00 40.00
一年需繳交 $225美金(約七千台幣),且每年約調5美金,
我國未更近一步像韓國或是美國法規上強制要求 執業需證照 的規範.
常造就有效證照數偏低的狀況.
深感在個人及制度上,我們都仍有許多待進步的空間,
以提高資訊相關方面的水準,與世界競爭.
談Nagios 開放原始碼監控系統
前一陣子忙於工作與考試,有件事一直未放上網誌,以免又忘了....
今年五月的某一天,很高興和PowerOp聊聊我非常愛用的開源軟體 Nagios,
說明開源軟體在實務上做了那些應用,
PowerOp podcast
開源的精神就是靠群體互助,讓軟體越做越好.
非常高興又完成一件 分享 的樂事 !
--------------------------------------------------------------------------
近來對Nagios又有新的想法與作為,
我發現可以拿來做資訊安全控管監控軟體,
1.寫程式監控規則型的入侵檢測. IDS by rule
如: IF a root user creates File1 and File2
2.寫Hook放在online交易中檢核帳務.
3.再透過Nagvis整合監控畫面.
嗯....這些我都做的到,完成後想必很牛B.
今年五月的某一天,很高興和PowerOp聊聊我非常愛用的開源軟體 Nagios,
說明開源軟體在實務上做了那些應用,
PowerOp podcast
開源的精神就是靠群體互助,讓軟體越做越好.
非常高興又完成一件 分享 的樂事 !
--------------------------------------------------------------------------
近來對Nagios又有新的想法與作為,
我發現可以拿來做資訊安全控管監控軟體,
1.寫程式監控規則型的入侵檢測. IDS by rule
如: IF a root user creates File1 and File2
2.寫Hook放在online交易中檢核帳務.
3.再透過Nagvis整合監控畫面.
嗯....這些我都做的到,完成後想必很牛B.
考取CISA的經驗
我通過考試的相關經驗,希望能對你有幫助.
http://www.caa.org.tw/news-detail.asp?id=227
(一).關於CISA
國際資訊系統稽核控管與協會 ISACA (Information Systems Audit and Control Association)舉辦國際
電腦稽核師 CISA (Certified Information System Auditor) 認證,
- 全球有效認證人數(CISAs)超過33,000
- 台灣地區自1987年至2009年12月約有361人通過CISA考試。
- 台灣地區持有CISA 證照的人數(CISAs)為191位(統計至2011.08.04止)。
(二).報名及費用
加入ISACA會員及臺灣分會,以及考試辦到好的費用約USD $605,早鳥另有約USD $50優惠.
(三).考前準備經驗談
先看CISA Review Manual,再做題目,
將做錯誤的題目標示記錄,並回頭去查看CISA Review Manual,做思考邏輯調整.
而仍有1/3比較艱深的題目或答案所涉及的內容,需要翻其它參考書或是找Google才能對題目內容含蓋的知識做全面的瞭解,
一下灌太多的知識到腦裡,腦筋肯定吃不消,建議採分天慢慢閱讀,因此備考時間要充足,
像我工作忙時沒法看書,回家陪小孩後也快趴了,只好趁小孩睡覺後看個一時半刻,並盡量早點起床翻一下書,
最後一個月艱熬期間,為了消除緊張感,利用零碎時間,把所有的做錯或不熟的題目再複習一次加強邏輯,等著上考場.
Tips:千萬不要妄想硬背答案,幾千道例題中重複機率極低,唯解題的邏輯是相似的,
因此要注意題意以及邏輯的先後順序,從對的答案中選出最適合的答案.
(四).應考
考試當天,起床吃個早餐,會需要體力的.
清點考試用品(請帶護照),建議早點出門,避免意外擔誤.
到了考場,先報到登記.
工作人員會說中文,考試開始前宣讀考規,全程用英文說明,另有附中文翻譯文件,
宣讀的速度很快,不可恍神,順著考場監考人員節拍填寫資料,以免個人資料填錯,不懂可舉手發問.
接下來就是4小時,200題,腦力與體力的考驗.
(五).通過考試,申請證書
上ISACA官方網站下載申請書PDF,另有WEB版直接線上填寫,填寫完畢後以電子郵件報送,這是最快最方便的選擇.
(六).總結
考試成績得在全世界前25%才會通過,應有不幸失敗,重新爬起的勇氣及決心,而努力是成功的必要條件.
整體而言,有中大型企業相關實務工作經驗與IT技術能力,看書效率會較好,通過機率會較高.
拿到這張證照,代表達到國際「電腦稽核」的標準!
而「專業」之所以有別於「職業」的關鍵點在於是否有「共通標準的知識體系」,
根據美國勞工部的解釋,所稱專業必須包括五個要素:
1.有國家級的會員組織
2.有明訂專業道德條款
3.有學術研究作後盾
4.有範圍出明確的知識體系
5.須有證照、認證、執照、牌照等來區分從業資格。
所以最早期能被稱作專業的工作只有三個:
1.牧師(例 如有聖經為標準)
2.醫師(例如有病/藥理學為標準)
3.律師(例如法律為標準)。
對於難以預設標準的領域,可能藝術或工藝成份較高,亦有其專精的成份(日本所稱之「達人」),而這類職業也有走向國際化證照的趨勢!
現今許多國際級認證所代表的「專業」,與能否「執業」,亦或能否帶來更多的收入,不一定能劃上等號,但是在個人知識一定有所成長,
臺灣目前稀少的證照,未來會不會出現越來越多擁有相同專業能力的人相互競爭,還是得回歸市場需求.
最後摘錄CISA 2011知識內容綱要供參考:
2011 CISA的工作實務領域如下(參考自稽核協會網站說明):
1 資訊系統稽核流程(14%)- 依據資訊系統稽核標準,提供稽核服務,以協助組織保護和控制資訊系統。
2 資訊治理與管理(14%)- 提供必要的領導力、組織結構和流程使能達到組織目標與支持其策略。
3 資訊系統的取得、發展、建置(19%)- 確保資訊系統的取得、發展、測試及建置實務符合組織的策略與目標。
4 資訊系統的營運、維護及支持(23%)- 確保資訊系統的營運、維護及支持流程符合組織的策略與目標。
5 資訊資產的保護(30%)- 確保組織的安全政策、標準、程序和控制足以保證資訊資產的機密性、完整性與可用性
AIX上使用Nagios監控軟體接收SNMP的訊息,以IBM TS3100為例
1.在AIX編譯 SNMP 5.5 或是去找rpm安裝
./configure --disable-embedded-perl --without-kmem-usage
2.安裝SNMP (snmpd snmptrapd)
(1).安裝後設定設定檔 ./snmpconf -i
(2).IBM TS3100磁帶館預設snmp community是 public (initial),
3.安裝snmptt 以處理Trap後的Log
(1).snmptrapd.conf要加權限,並讓snmptt的Stand along和Daemon mod都能處理snmptrap的訊息
authCommunity log,execute,net public
traphandle default /usr/sbin/snmptthandler
traphandle default /usr/sbin/snmptt
重啟snmpd及snmptrapd
(2).snmptt 導入要監控的mib檔
./snmpttconvertmib --in=/usr/share/snmp/mibs/powernet361.mib --out=/etc/snmp/snmptt.ibm.conf
(3).vi snmptt.ini 將 snmptt.ibm.conf 加入
(4).要送訊息的部份加入submit_check_result HOSTNAME SERVICENAME CODE MESSAGE,範例如下
EVENT eventDoorOpen .1.3.6.1.4.1.2.6.210.4.2 "Status Events" INFORMATIONAL
FORMAT Library Door Opened: The library $1 (Serial Number $2) door has been opened.
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result AS400-B0000 TS3100 1 "The library $1 (Serial Number $2) door has been opened"
SDESC
The library door has been opened.
Variables:
EDESC
(5).重啟snmptt服務,查log是否正確
(6).開TS 3100的Door或是Login/Logout Web帳號做測試.
Debug
1.有問的的話改snmpd.conf snmptrapd.conf snmptt.ini(debug=2),輸出log
2.AIX 開IIP trace,看該設備有沒有訊息到AIX
/usr/bin/startsrc -s iptrace -a "-a -b -d x.x.x.x -i en0 /var/log/snmptt/iptrace.cap" >/dev/null 2>&1
/usr/bin/stopsrc -s iptrace >/dev/null 2>&1
看trace log
ipreport -srn /var/log/snmptt/iptrace.cap
./configure --disable-embedded-perl --without-kmem-usage
2.安裝SNMP (snmpd snmptrapd)
(1).安裝後設定設定檔 ./snmpconf -i
(2).IBM TS3100磁帶館預設snmp community是 public (initial),
3.安裝snmptt 以處理Trap後的Log
(1).snmptrapd.conf要加權限,並讓snmptt的Stand along和Daemon mod都能處理snmptrap的訊息
authCommunity log,execute,net public
traphandle default /usr/sbin/snmptthandler
traphandle default /usr/sbin/snmptt
重啟snmpd及snmptrapd
(2).snmptt 導入要監控的mib檔
./snmpttconvertmib --in=/usr/share/snmp/mibs/powernet361.mib --out=/etc/snmp/snmptt.ibm.conf
(3).vi snmptt.ini 將 snmptt.ibm.conf 加入
(4).要送訊息的部份加入submit_check_result HOSTNAME SERVICENAME CODE MESSAGE,範例如下
EVENT eventDoorOpen .1.3.6.1.4.1.2.6.210.4.2 "Status Events" INFORMATIONAL
FORMAT Library Door Opened: The library $1 (Serial Number $2) door has been opened.
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result AS400-B0000 TS3100 1 "The library $1 (Serial Number $2) door has been opened"
SDESC
The library door has been opened.
Variables:
EDESC
(5).重啟snmptt服務,查log是否正確
(6).開TS 3100的Door或是Login/Logout Web帳號做測試.
Debug
1.有問的的話改snmpd.conf snmptrapd.conf snmptt.ini(debug=2),輸出log
2.AIX 開IIP trace,看該設備有沒有訊息到AIX
/usr/bin/startsrc -s iptrace -a "-a -b -d x.x.x.x -i en0 /var/log/snmptt/iptrace.cap" >/dev/null 2>&1
/usr/bin/stopsrc -s iptrace >/dev/null 2>&1
看trace log
ipreport -srn /var/log/snmptt/iptrace.cap
Sending HMC Commands from a CL Program
In R530 of IBM i5/OS, HMC commands can now be sent directly to the HMC by using the 5733SC1 IBM Portable Utilities for i5/OS LPP. This allows i5/OS system administrators to send commands to the HMC from an i5/OS command line, the scheduler or from a program. Public key authentication can be configured to allow the commands to be run in an unattended environment. As an example, a CL program performing a system backup can issue a DLPAR move command to add a tape device to its partition before performing the save.
This document provides a sample CL program that can be used to submit HMC commands and check if they run successfully. It also provides the HMC and i5/OS setup necessary to run the sample.
HMC Setup
Step 1: Enable SSH on the HMC:
a Expand HMC Management > HMC Configuration.
b In the Contents area, click Enable/Disable Remote Command Execution.
c Select the appropriate check box.
d Click OK.
Step 2: Enable SSH in the HMC firewall:
a Expand HMC Management > HMC Configuration.
b In the Contents area, click Customize Network Settings.
c Click the LAN Adapters tab.
d Select the LAN adapter used for the open network (normally eth1), then click the details button.
e Select Secure Shell 22:tcp , and click the allow incoming button.
f Click OK, and click OK.
g The HMC will display a panel stating that the settings will be applied on the next reboot. Click OK. Do not reboot. Firewall settings go into effect immediately.
i5/OS Setup
Step 1: Install and Configure IBM Portable Utilities for i5/OS:
The LPO 5733SC1, IBM Portable Utilities for i5/OS, is now available for V5R3 i5/OS users. The 5733SC1 LPO contains the OpenSSH, OpenSSL, and zlib open source packages that are ported to i5/OS by using the i5/OS PASE runtime environment. The 5733SC1 LPO requires that i5/OS V5R3 and i5/OS Option 33 (i5/OS PASE - Portable Solutions Application Environment) are installed. For further information on installing and configuring this LPP, refer to the following Web site:
http://www-1.ibm.com/servers/enable/site/porting/tools/openssh.html .
Note: The 5733SC1 LPO requires i5/OS V5R3 and also requires that 5722SS1 Option 33 (i5/OS PASE - Portable Solutions Application Environment) be installed. The sample program requires 5722SS1 Option 30 QShell Interpreter.
a Apply current SSH PTFs. For a list of required PTFs, refer to the following Rochester Support Center knowledgebase document:
371780606, OpenSSH PTF List for V5R3: Database 'Rochester Support Line KnowledgeBase', View 'All Documents', Document 'OpenSSH PTF List for V5R3'
OpenSSH portion of 5733-SC1 consists of these utilities:
* ssh - a secure telnet replacement that allows an i5/OS user to connect as a client to a server running the sshd daemon
* sftp - a secure ftp replacement
* scp - a secure file copy program -- basically an alternative to sftp for copying a single file in the integrated file system (IFS)
* ssh-keygen - a public/private key generation and management tool
* ssh-agent - an authentication agent that can store private keys
* sshd - the daemon that handles incoming ssh connections.
Note:
The sshd daemon utility allows users to connect to i5/OS via an ssh client. In contrast to connecting to i5/OS via telnet and being presented with a 5250 screen interface, users that connect via ssh to an i5/OS system running the sshd daemon will be presented with a character interface and an i5/OS PASE command line.
Hints and Tips for Using OpenSSH:
CRTIMGCLG IMGCLG(SSHCAT) DIR('/home/SSHCAT') CRTDIR(*YES)
ADDIMGCLGE IMGCLG(SSHCAT) FROMFILE('/5733sc1/5733sc1.iso') <=V5R3 CD Lable must be "SC1_CO"
CRTDEVOPT DEVD(OPTVRT01) RSRCNAME(*VRT) ONLINE(*YES) TEXT('virtual optical device')
LODIMGCLG IMGCLG(SSHCAT) DEV(OPTVRT01) OPTION(*LOAD)
To install OpenSSH:
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)
Step 2: Configure the QSHELL path
The sample assumes the IBM Portable Utilities are added to the QSHELL path. The QSHELL path can be set system wide by adding a path environment variable or by using one of the other methods described in the IBM iSeries Information Center.
To set the path using a system wide environment variable, on the i5/OS command line, type the following:
ADDENVVAR ENVVAR(PATH) VALUE('/usr/bin:.:/QOpenSys/usr/bin:/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/bin') LEVEL(*SYS)
Press the Enter key.
Step 3: Verify the i5/OS user profile home directory:
a For each i5/OS user profile running the program under their account, verify the home directory. Use the DSPUSRPRF command to verify the i5/OS user's home directory (HOMEDIR field):
DSPUSRPRF
Press the Enter key. The default is /home/.
b Verify the directory exists:
wrklnk
Press the Enter key.
c Use the mkdir command to create the directory or alter the profile to the desired existing home directory as desired. This directory is used to store the user ssh configuration information such as known_hosts and the private/public key pairs.
Step 4: Verify the DNS configuration and network connectivity:
a The HMC host name must be configured in the DNS server or a local host entry must exist for the HMC (CFGTCP Option 10). To verify network connectivity and DNS resolution, type the following command on the i5/OS command line:
ping
where is the HMC's short host name. Verify that the ping is successful.
b Type the following command:
nslookup 'w.x.y.z'
where 'w.x.y.z' is the HMC's TCP/IP address. This must return the HMC's fully qualified host name.
c If the HMC host name or TCP/IP address cannot be correctly resolved, then correct the DNS configuration or add a local hosts entry for the HMC to the i5/OS partition. To add the HMC to the partition hosts list use the following command:
ADDTCPHTE INTNETADR('w.x.y.z') HOSTNAME(('myhmc') ('myhmc.mydomain'))
where 'w.x.y.z' is the HMC TCP/IP address used on the open network (usually eth1) and myhmc and myhmc.mydomain are the HMC host name and HMC host name.domain name as configured in the HMC network configuration.
Step 5: Verify the ssh connection:
a Start QSHELL using the command STRQSH .
b At the QSHELL prompt, verify the ssh connection by using the following command:
ssh -T@
It will prompt for password.
Note: The -T is optional. If not specified, the user receives the warning message tcgetattr: A system call received a parameter that is not valid. This warning can be ignored.
c Verify that the user can log on the HMC and run a command such as ls /usr/hmcrbin .
Note: The first time a ssh connection is made to the HMC the user is prompted to verify the authenticity of the hmc:
The authenticity of host 'cs6hmc (9.5.32.12)' can't be established.
. key fingerprint is RSA.
Are you sure you want to continue connecting (yes/no)?
The user must answer yes. The HMC's public key will then be stored in the user's/.ssh/known_hosts file and the user will not be prompted again. The known_hosts file must be configured for each i5/OS user profile that the CL program will run under.
d Log off the HMC. Use the command exit to end the ssh session.
Step 6: Generate a private public key pair on the i5/OS partition.
These instructions can also be found in the eServer Information Center web site. The commands used in the i5/OS setup can be entered from QSHELL (STRQSH ) or from the PASE terminal session (call qp2term ).
a Generate a key pair for the i5/OS partition by using the ssh command ssh-keygen . Run the following command from the partition Qshell or PASE terminal session. Do not type a passphrase when prompted (press the Enter key).
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/ddilling/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /ddilling/.ssh/id_rsa.
Your public key has been saved in /ddilling/.ssh/id_rsa.pub.
The key fingerprint is: 86:57:44:54:f6:2c:9f:fa:88:fd:97:2e:b4:53:c0:f8 ddilling@RCHASCLC.RCHLAND.IBM.COM
b Copy the public key to the clipboard. List the public key that was generated:
cat
where is the public key file name (id_rsa.pub) from the previous step. The output will be a long string such as the following:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuF8Uq/GG4CdFdDUXl+ggSleo96SbGZEkGtKD721r+hCPya9iy3tCYijCFs9SMjovHdlGmzX5FFbOuYDnlk2yvhBfXvx/V7TmmmsvQlvsz8a8ulm/Z+dzwJiUV+rHv9moeRnLVksafsuHCo034qITqYDMKlS27jVtc4/HG+VF1c8= ddilling@RCHASCLC.RCHLAND.IBM.COM
Example of using Qshell to list and copy the public key:
Screen shot of QSH Command Entry screen,
Caution : The IBM Personal Communications emulator paste function will append a carriage return and line feed character to the end of each line if it is used to paste into a Microsoft Windows program (such as Notepad) or a Windows ssh client (such as PuTTY). Be careful to remove the extra control characters when pasting to a Windows program.
Step 7: Type the public key into the HMC:
The public key generated in Step 6 must be entered into the HMC user's ~/.ssh/authorized_keys2 file using the HMC mkauthkeys command. These instructions can also be found in the eServer Information Center web site. The mkauthkeys command can be run on the local HMC or any ssh session connected to the HMC. The example below uses Qshell as the ssh client.
Note: Type or copy/paste the key string exactly as it is stored in the id_rsa.pub file. Do not include any extra carriage return, line feed or space. See the example below.
a Open a ssh session to the HMC or a restricted shell on the local HMC.
Example of using Qshell to ssh to the HMC (same as step 5 above):
Screen shot of QSH Command Entry
b Register the public key using the mkauthkeys command. Type the command mkauthkeys --add on the first line. Position the cursor at the start of the next line . Paste the key onto the next few lines. Insert a single quote at the beginning and end of the string as shown below:
Screen shot of QSH Command Entry for mkauthkeys
c Position the cursor at the end of the line and carefully remove the spaces that were inserted by the paste operation using the delete key. Press the Enter key to run the command.
Another screen shot of QSH Command Entry for mkauthkeys
Step 8: Verify the secure script configuration:
If the keys match, then running the ssh command from the partition will no longer prompt for a user or password (the terminal type prompt can be suppressed using the -T option). Exit any existing ssh session to the HMC, the connect again from Qshell or the PASE command shell. There should not be any prompt for password.
ssh
tcgetattr: The specified device does not exist.
Last login: Thu Jun 30 17:26:51 2005 from localhost.localdomain
tset: unknown terminal type unknown
Terminal type?
vt100
vt100
ddilling@cs6hmc:~>
If that fails, verify that the key was entered correctly. The output of the following HMC command must contain the key exactly as shown in Step 6b. If multiple systems have configured secure script, then more than one entry can exist.
cat .ssh/authorized_keys2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuF8Uq/GG4CdFdDUXl+ggSleo96SbGZEkGtKD721r+hCPya9iy3tCYijCFs9SMjovHdlGmzX5FFbOuYDnlk2yvhBfXvx/V7TmmmsvQlvsz8a8ulm/Z+dzwJiUV+rHv9moeRnLVksafsuHCo034qITqYDMKlS27jVtc4/HG+VF1c8= ddilling@RCHASCLC.RCHLAND.IBM.COM
Common Error Messages
1) ssh: w.x.y.z: Hostname and service name not provided or found
When you connect using a TCP/IP address, ssh expects to be able to perform a DNS reverse-lookup for the address provided. If the host name cannot be resolved, this error is returned. To resolve the problem, correctly register the HMC in the DNS (and enable reverse name look-up) or add a host table entry for the HMC address to the IBM eServer™ i5 partition's host table. The following command creates a host table entry in i5/OS:
ADDTCPHTE INTNETADR('w.x.y.z') HOSTNAME((somehostname)
Press the Enter key.
2) ssh-keygen fails with error "not enough entropy in RNG"
The fix for SE19413 is missing. See the recommended PTF list above.
3) "You don't exist, go away!".
The i5/OS user profile that the ssh command runs under must be 8 characters or less in length.
Running HMC Commands
Once ssh and private/public key authorization is configured, HMC commands can be run directly without prompting for password.
To run a Qshell command from the i5/OS command line or a CL program, use the QSH command; for example:
QSH CMD('ssh -T ddilling@cs6hmc lshmc -V')
HMC commands can also be added to the scheduler; for example:
ADDJOBSCDE JOB(SSHCMD) CMD(QSH CMD('ssh -T ddilling@cs6hmc lshmc -V')) FRQ(*ONCE) SCDTIME('20:00:00')
To run several commands at one time, it may be easier to create a shell script which runs the commands and then invoke the script from the i5/OS.
CL Sample
The following sample CL program shows how to invoke QSHELL to run the ssh command. The sample accepts a HMC name, command to run, optional parameters for the identity file and user, then runs the command on the remote HMC. Finally, it retrieves the return code of the command that was run to determine if the command succeeded.
The example calls the CL program and runs a DLPAR add operation to add the specified IO slot to the target i5/OS partition. The program checks the exit status of the HMC command to determine if the command succeeded. If run in batch, the standard out from the HMC is directed to a spooled file for the job. For more complex operations, it may be easier to wrapper the HMC commands in a QSHELL script and run the script from the CL program.
Example Call:
CALL PGM(HMCCL) PARM(
'chhwres -r io -m CS6520 -o a -p RCHASCS6B -l 2102000A '
'9.5.32.12 ' 'ddilling2 ' '/ddilling/.ssh/id_rsa ')
******************************************************************************/
/* HMC ssh Sample */
/* */
/* HMCCMD CHAR(122) HMC command to execute padded to 122 chars */
/* HOST CHAR(15) HMC hostname or ip address */
/* USER CHAR(10) [optional] HMC user profile name */
/* IDENTITY CHAR(48) [optional] Identity file name */
/* */
/* Parmaters map to the ssh command being run as */
/* ssh host | user@host [-i identity] hmccmd */
/* where optional parameters with values of all blanks are treated as missing.*/
/* */
/* - Requires 5733-SC1 -- IBM Portable Utilities for i5/OS */
/* - Secure script execution between the i5/OS partition and the HMC */
/* must be configured for the hmc profile being used. */
/* - if PARM3 is omitted (all blanks), ssh defaults to using the i5/OS user */
/* profile the program is running under (or name specified in user config */
/* file). */
/* - PARM4 can be omitted (all blanks) if the default location for the */
/* identity file is used (/.ssh) */
/* - Assumes QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/bin */
/* has been added to the path. */
/* */
/* Example (as entered in call qcmd). Verify parameters are padded to the */
/* correct length. */
/* ===> CALL PGM(HMCCL)PARM( */
/*'ls /usr/hmcrbin */
/* ' '9.5.32.12 ' 'ddilling ' */
/*'/ddilling/.ssh/id_rsa ') */
/* */
/* 6/28/2005 1.4 user profile parameter */
/* 7/05/2005 1.5 bug fix */
/* 12/05/2005 1.6 -T */
/* V1.6 ddilling@us.ibm.com */
/******************************************************************************/
PGM PARM(&HMCCMD &HOST &USER &IDENTITY)
DCL VAR(&HMCCMD) TYPE(*CHAR) LEN(122)
DCL VAR(&HOST) TYPE(*CHAR) LEN(15) /*HMC host name/ip */
DCL VAR(&USER) TYPE(*CHAR) LEN(10) /*HMC userprofile */
DCL VAR(&IDENTITY) TYPE(*CHAR) LEN(48) /*Identity file */
DCL VAR(&CMD) TYPE(*CHAR) LEN(256)
DCL VAR(&USERLEN) TYPE(*INT)
DCL VAR(&X) TYPE(*INT)
/* return status parms */
DCL VAR(&BIN4) TYPE(*CHAR) LEN(4)
DCL VAR(&EXITCODED) TYPE(*DEC) LEN(8 0)
DCL VAR(&EXITCODEC) TYPE(*CHAR) LEN(8)
DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
/* Build the qshell command to execute */
/* adding the user profile as needed. */
IF (%SST(&USER 1 1) *EQ ' ') THEN(DO)
CHGVAR VAR(&CMD) VALUE('ssh -T ' *CAT &HOST)
ENDDO
ELSE DO
CHGVAR VAR(&CMD) VALUE('ssh ' *CAT &USER +
*TCAT '@' *CAT &HOST)
ENDDO
/*Add identity file if needed. */
IF (%SST(&IDENTITY 1 1) *NE ' ') THEN(DO)
/* Add the -i option to specify the identity file name */
/* Ex: -i /ddilling/.ssh/id_rsa */
CHGVAR VAR(&CMD) VALUE(&CMD *TCAT +
' -i ' *CAT &IDENTITY )
ENDDO
/*Append the command */
CHGVAR VAR(&CMD) VALUE(&CMD *TCAT +
' "' *CAT &HMCCMD *CAT '"' )
/* execute the command */
QSH CMD(&CMD)
MONMSG MSGID(CPF9999) EXEC(DO)
UNKNOWN:
SNDPGMMSG MSG('Unable to execute the ssh command. +
Review joblog for details.')
GOTO EXIT
ENDDO
/* Check the status code */
RCVMSG MSGTYPE(*COMP) RMV(*NO) MSGDTA(&BIN4) +
MSGID(&MSGID)
CHGVAR VAR(&EXITCODED) VALUE(%BINARY(&BIN4))
CHGVAR VAR(&EXITCODEC) VALUE(&EXITCODED)
/* 0 is command worked */
IF COND(&EXITCODED=0) THEN(DO)
SNDPGMMSG MSG('HMC command executed successfully, exit +
code 0')
ENDDO
/* 1 is command execution failed */
/* 2 is command syntax error */
/* 255 Unable to connect */
/* ELSE CMD(IF COND(&EXITCODD=1) THEN(DO */
ELSE CMD(DO)
SNDPGMMSG MSG('HMC command was executed but failed +
with a non-zero exit code of ' *CAT +
&EXITCODEC *CAT '. View stdout for details')
ENDDO
EXIT:
ENDPGM
This document provides a sample CL program that can be used to submit HMC commands and check if they run successfully. It also provides the HMC and i5/OS setup necessary to run the sample.
HMC Setup
Step 1: Enable SSH on the HMC:
a Expand HMC Management > HMC Configuration.
b In the Contents area, click Enable/Disable Remote Command Execution.
c Select the appropriate check box.
d Click OK.
Step 2: Enable SSH in the HMC firewall:
a Expand HMC Management > HMC Configuration.
b In the Contents area, click Customize Network Settings.
c Click the LAN Adapters tab.
d Select the LAN adapter used for the open network (normally eth1), then click the details button.
e Select Secure Shell 22:tcp , and click the allow incoming button.
f Click OK, and click OK.
g The HMC will display a panel stating that the settings will be applied on the next reboot. Click OK. Do not reboot. Firewall settings go into effect immediately.
i5/OS Setup
Step 1: Install and Configure IBM Portable Utilities for i5/OS:
The LPO 5733SC1, IBM Portable Utilities for i5/OS, is now available for V5R3 i5/OS users. The 5733SC1 LPO contains the OpenSSH, OpenSSL, and zlib open source packages that are ported to i5/OS by using the i5/OS PASE runtime environment. The 5733SC1 LPO requires that i5/OS V5R3 and i5/OS Option 33 (i5/OS PASE - Portable Solutions Application Environment) are installed. For further information on installing and configuring this LPP, refer to the following Web site:
http://www-1.ibm.com/servers/enable/site/porting/tools/openssh.html .
Note: The 5733SC1 LPO requires i5/OS V5R3 and also requires that 5722SS1 Option 33 (i5/OS PASE - Portable Solutions Application Environment) be installed. The sample program requires 5722SS1 Option 30 QShell Interpreter.
a Apply current SSH PTFs. For a list of required PTFs, refer to the following Rochester Support Center knowledgebase document:
371780606, OpenSSH PTF List for V5R3: Database 'Rochester Support Line KnowledgeBase', View 'All Documents', Document 'OpenSSH PTF List for V5R3'
OpenSSH portion of 5733-SC1 consists of these utilities:
* ssh - a secure telnet replacement that allows an i5/OS user to connect as a client to a server running the sshd daemon
* sftp - a secure ftp replacement
* scp - a secure file copy program -- basically an alternative to sftp for copying a single file in the integrated file system (IFS)
* ssh-keygen - a public/private key generation and management tool
* ssh-agent - an authentication agent that can store private keys
* sshd - the daemon that handles incoming ssh connections.
Note:
The sshd daemon utility allows users to connect to i5/OS via an ssh client. In contrast to connecting to i5/OS via telnet and being presented with a 5250 screen interface, users that connect via ssh to an i5/OS system running the sshd daemon will be presented with a character interface and an i5/OS PASE command line.
Hints and Tips for Using OpenSSH:
CRTIMGCLG IMGCLG(SSHCAT) DIR('/home/SSHCAT') CRTDIR(*YES)
ADDIMGCLGE IMGCLG(SSHCAT) FROMFILE('/5733sc1/5733sc1.iso') <=V5R3 CD Lable must be "SC1_CO"
CRTDEVOPT DEVD(OPTVRT01) RSRCNAME(*VRT) ONLINE(*YES) TEXT('virtual optical device')
LODIMGCLG IMGCLG(SSHCAT) DEV(OPTVRT01) OPTION(*LOAD)
To install OpenSSH:
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(*BASE) RSTOBJ(*ALL) LNG(2924)
RSTLICPGM LICPGM(5733SC1) DEV(OPTxx) OPTION(1) RSTOBJ(*PGM)
Step 2: Configure the QSHELL path
The sample assumes the IBM Portable Utilities are added to the QSHELL path. The QSHELL path can be set system wide by adding a path environment variable or by using one of the other methods described in the IBM iSeries Information Center.
To set the path using a system wide environment variable, on the i5/OS command line, type the following:
ADDENVVAR ENVVAR(PATH) VALUE('/usr/bin:.:/QOpenSys/usr/bin:/QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/bin') LEVEL(*SYS)
Press the Enter key.
Step 3: Verify the i5/OS user profile home directory:
a For each i5/OS user profile running the program under their account, verify the home directory. Use the DSPUSRPRF command to verify the i5/OS user's home directory (HOMEDIR field):
DSPUSRPRF
Press the Enter key. The default is /home/
b Verify the directory exists:
wrklnk
Press the Enter key.
c Use the mkdir command to create the directory or alter the profile to the desired existing home directory as desired. This directory is used to store the user ssh configuration information such as known_hosts and the private/public key pairs.
Step 4: Verify the DNS configuration and network connectivity:
a The HMC host name must be configured in the DNS server or a local host entry must exist for the HMC (CFGTCP Option 10). To verify network connectivity and DNS resolution, type the following command on the i5/OS command line:
ping
where
b Type the following command:
nslookup 'w.x.y.z'
where 'w.x.y.z' is the HMC's TCP/IP address. This must return the HMC's fully qualified host name.
c If the HMC host name or TCP/IP address cannot be correctly resolved, then correct the DNS configuration or add a local hosts entry for the HMC to the i5/OS partition. To add the HMC to the partition hosts list use the following command:
ADDTCPHTE INTNETADR('w.x.y.z') HOSTNAME(('myhmc') ('myhmc.mydomain'))
where 'w.x.y.z' is the HMC TCP/IP address used on the open network (usually eth1) and myhmc and myhmc.mydomain are the HMC host name and HMC host name.domain name as configured in the HMC network configuration.
Step 5: Verify the ssh connection:
a Start QSHELL using the command STRQSH .
b At the QSHELL prompt, verify the ssh connection by using the following command:
ssh -T
It will prompt for password.
Note: The -T is optional. If not specified, the user receives the warning message tcgetattr: A system call received a parameter that is not valid. This warning can be ignored.
c Verify that the user can log on the HMC and run a command such as ls /usr/hmcrbin .
Note: The first time a ssh connection is made to the HMC the user is prompted to verify the authenticity of the hmc:
The authenticity of host 'cs6hmc (9.5.32.12)' can't be established.
. key fingerprint is RSA.
Are you sure you want to continue connecting (yes/no)?
The user must answer yes. The HMC's public key will then be stored in the user's
d Log off the HMC. Use the command exit to end the ssh session.
Step 6: Generate a private public key pair on the i5/OS partition.
These instructions can also be found in the eServer Information Center web site. The commands used in the i5/OS setup can be entered from QSHELL (STRQSH ) or from the PASE terminal session (call qp2term ).
a Generate a key pair for the i5/OS partition by using the ssh command ssh-keygen . Run the following command from the partition Qshell or PASE terminal session. Do not type a passphrase when prompted (press the Enter key).
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/ddilling/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /ddilling/.ssh/id_rsa.
Your public key has been saved in /ddilling/.ssh/id_rsa.pub.
The key fingerprint is: 86:57:44:54:f6:2c:9f:fa:88:fd:97:2e:b4:53:c0:f8 ddilling@RCHASCLC.RCHLAND.IBM.COM
b Copy the public key to the clipboard. List the public key that was generated:
cat
where
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuF8Uq/GG4CdFdDUXl+ggSleo96SbGZEkGtKD721r+hCPya9iy3tCYijCFs9SMjovHdlGmzX5FFbOuYDnlk2yvhBfXvx/V7TmmmsvQlvsz8a8ulm/Z+dzwJiUV+rHv9moeRnLVksafsuHCo034qITqYDMKlS27jVtc4/HG+VF1c8= ddilling@RCHASCLC.RCHLAND.IBM.COM
Example of using Qshell to list and copy the public key:
Screen shot of QSH Command Entry screen,
Caution : The IBM Personal Communications emulator paste function will append a carriage return and line feed character to the end of each line if it is used to paste into a Microsoft Windows program (such as Notepad) or a Windows ssh client (such as PuTTY). Be careful to remove the extra control characters when pasting to a Windows program.
Step 7: Type the public key into the HMC:
The public key generated in Step 6 must be entered into the HMC user's ~/.ssh/authorized_keys2 file using the HMC mkauthkeys command. These instructions can also be found in the eServer Information Center web site. The mkauthkeys command can be run on the local HMC or any ssh session connected to the HMC. The example below uses Qshell as the ssh client.
Note: Type or copy/paste the key string exactly as it is stored in the id_rsa.pub file. Do not include any extra carriage return, line feed or space. See the example below.
a Open a ssh session to the HMC or a restricted shell on the local HMC.
Example of using Qshell to ssh to the HMC (same as step 5 above):
Screen shot of QSH Command Entry
b Register the public key using the mkauthkeys command. Type the command mkauthkeys --add on the first line. Position the cursor at the start of the next line . Paste the key onto the next few lines. Insert a single quote at the beginning and end of the string as shown below:
Screen shot of QSH Command Entry for mkauthkeys
c Position the cursor at the end of the line and carefully remove the spaces that were inserted by the paste operation using the delete key. Press the Enter key to run the command.
Another screen shot of QSH Command Entry for mkauthkeys
Step 8: Verify the secure script configuration:
If the keys match, then running the ssh command from the partition will no longer prompt for a user or password (the terminal type prompt can be suppressed using the -T option). Exit any existing ssh session to the HMC, the connect again from Qshell or the PASE command shell. There should not be any prompt for password.
ssh
tcgetattr: The specified device does not exist.
Last login: Thu Jun 30 17:26:51 2005 from localhost.localdomain
tset: unknown terminal type unknown
Terminal type?
vt100
vt100
ddilling@cs6hmc:~>
If that fails, verify that the key was entered correctly. The output of the following HMC command must contain the key exactly as shown in Step 6b. If multiple systems have configured secure script, then more than one entry can exist.
cat .ssh/authorized_keys2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuF8Uq/GG4CdFdDUXl+ggSleo96SbGZEkGtKD721r+hCPya9iy3tCYijCFs9SMjovHdlGmzX5FFbOuYDnlk2yvhBfXvx/V7TmmmsvQlvsz8a8ulm/Z+dzwJiUV+rHv9moeRnLVksafsuHCo034qITqYDMKlS27jVtc4/HG+VF1c8= ddilling@RCHASCLC.RCHLAND.IBM.COM
Common Error Messages
1) ssh: w.x.y.z: Hostname and service name not provided or found
When you connect using a TCP/IP address, ssh expects to be able to perform a DNS reverse-lookup for the address provided. If the host name cannot be resolved, this error is returned. To resolve the problem, correctly register the HMC in the DNS (and enable reverse name look-up) or add a host table entry for the HMC address to the IBM eServer™ i5 partition's host table. The following command creates a host table entry in i5/OS:
ADDTCPHTE INTNETADR('w.x.y.z') HOSTNAME((somehostname)
Press the Enter key.
2) ssh-keygen fails with error "not enough entropy in RNG"
The fix for SE19413 is missing. See the recommended PTF list above.
3) "You don't exist, go away!".
The i5/OS user profile that the ssh command runs under must be 8 characters or less in length.
Running HMC Commands
Once ssh and private/public key authorization is configured, HMC commands can be run directly without prompting for password.
To run a Qshell command from the i5/OS command line or a CL program, use the QSH command; for example:
QSH CMD('ssh -T ddilling@cs6hmc lshmc -V')
HMC commands can also be added to the scheduler; for example:
ADDJOBSCDE JOB(SSHCMD) CMD(QSH CMD('ssh -T ddilling@cs6hmc lshmc -V')) FRQ(*ONCE) SCDTIME('20:00:00')
To run several commands at one time, it may be easier to create a shell script which runs the commands and then invoke the script from the i5/OS.
CL Sample
The following sample CL program shows how to invoke QSHELL to run the ssh command. The sample accepts a HMC name, command to run, optional parameters for the identity file and user, then runs the command on the remote HMC. Finally, it retrieves the return code of the command that was run to determine if the command succeeded.
The example calls the CL program and runs a DLPAR add operation to add the specified IO slot to the target i5/OS partition. The program checks the exit status of the HMC command to determine if the command succeeded. If run in batch, the standard out from the HMC is directed to a spooled file for the job. For more complex operations, it may be easier to wrapper the HMC commands in a QSHELL script and run the script from the CL program.
Example Call:
CALL PGM(HMCCL) PARM(
'chhwres -r io -m CS6520 -o a -p RCHASCS6B -l 2102000A '
'9.5.32.12 ' 'ddilling2 ' '/ddilling/.ssh/id_rsa ')
******************************************************************************/
/* HMC ssh Sample */
/* */
/* HMCCMD CHAR(122) HMC command to execute padded to 122 chars */
/* HOST CHAR(15) HMC hostname or ip address */
/* USER CHAR(10) [optional] HMC user profile name */
/* IDENTITY CHAR(48) [optional] Identity file name */
/* */
/* Parmaters map to the ssh command being run as */
/* ssh host | user@host [-i identity] hmccmd */
/* where optional parameters with values of all blanks are treated as missing.*/
/* */
/* - Requires 5733-SC1 -- IBM Portable Utilities for i5/OS */
/* - Secure script execution between the i5/OS partition and the HMC */
/* must be configured for the hmc profile being used. */
/* - if PARM3 is omitted (all blanks), ssh defaults to using the i5/OS user */
/* profile the program is running under (or name specified in user config */
/* file). */
/* - PARM4 can be omitted (all blanks) if the default location for the */
/* identity file is used (
/* - Assumes QOpenSys/QIBM/ProdData/SC1/OpenSSH/openssh-3.5p1/bin */
/* has been added to the path. */
/* */
/* Example (as entered in call qcmd). Verify parameters are padded to the */
/* correct length. */
/* ===> CALL PGM(HMCCL)PARM( */
/*'ls /usr/hmcrbin */
/* ' '9.5.32.12 ' 'ddilling ' */
/*'/ddilling/.ssh/id_rsa ') */
/* */
/* 6/28/2005 1.4 user profile parameter */
/* 7/05/2005 1.5 bug fix */
/* 12/05/2005 1.6 -T */
/* V1.6 ddilling@us.ibm.com */
/******************************************************************************/
PGM PARM(&HMCCMD &HOST &USER &IDENTITY)
DCL VAR(&HMCCMD) TYPE(*CHAR) LEN(122)
DCL VAR(&HOST) TYPE(*CHAR) LEN(15) /*HMC host name/ip */
DCL VAR(&USER) TYPE(*CHAR) LEN(10) /*HMC userprofile */
DCL VAR(&IDENTITY) TYPE(*CHAR) LEN(48) /*Identity file */
DCL VAR(&CMD) TYPE(*CHAR) LEN(256)
DCL VAR(&USERLEN) TYPE(*INT)
DCL VAR(&X) TYPE(*INT)
/* return status parms */
DCL VAR(&BIN4) TYPE(*CHAR) LEN(4)
DCL VAR(&EXITCODED) TYPE(*DEC) LEN(8 0)
DCL VAR(&EXITCODEC) TYPE(*CHAR) LEN(8)
DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
/* Build the qshell command to execute */
/* adding the user profile as needed. */
IF (%SST(&USER 1 1) *EQ ' ') THEN(DO)
CHGVAR VAR(&CMD) VALUE('ssh -T ' *CAT &HOST)
ENDDO
ELSE DO
CHGVAR VAR(&CMD) VALUE('ssh ' *CAT &USER +
*TCAT '@' *CAT &HOST)
ENDDO
/*Add identity file if needed. */
IF (%SST(&IDENTITY 1 1) *NE ' ') THEN(DO)
/* Add the -i option to specify the identity file name */
/* Ex: -i /ddilling/.ssh/id_rsa */
CHGVAR VAR(&CMD) VALUE(&CMD *TCAT +
' -i ' *CAT &IDENTITY )
ENDDO
/*Append the command */
CHGVAR VAR(&CMD) VALUE(&CMD *TCAT +
' "' *CAT &HMCCMD *CAT '"' )
/* execute the command */
QSH CMD(&CMD)
MONMSG MSGID(CPF9999) EXEC(DO)
UNKNOWN:
SNDPGMMSG MSG('Unable to execute the ssh command. +
Review joblog for details.')
GOTO EXIT
ENDDO
/* Check the status code */
RCVMSG MSGTYPE(*COMP) RMV(*NO) MSGDTA(&BIN4) +
MSGID(&MSGID)
CHGVAR VAR(&EXITCODED) VALUE(%BINARY(&BIN4))
CHGVAR VAR(&EXITCODEC) VALUE(&EXITCODED)
/* 0 is command worked */
IF COND(&EXITCODED=0) THEN(DO)
SNDPGMMSG MSG('HMC command executed successfully, exit +
code 0')
ENDDO
/* 1 is command execution failed */
/* 2 is command syntax error */
/* 255 Unable to connect */
/* ELSE CMD(IF COND(&EXITCODD=1) THEN(DO */
ELSE CMD(DO)
SNDPGMMSG MSG('HMC command was executed but failed +
with a non-zero exit code of ' *CAT +
&EXITCODEC *CAT '. View stdout for details')
ENDDO
EXIT:
ENDPGM
CentOS 5.5 某些型號電腦SATA被誤認為IDE以及安裝完後開啟AHCI
一.SATA被誤認為IDE
首先先談到我的HP電腦在裝CentOS 5.2,光碟一開機便出現ata_piix no available legacy port,完全無法安裝.
隨後改用CentOS 5.5裝,可以安裝了!
但是裝完系統運作非常慢,每秒只有4MB/s,查看後發現系統把SATA硬碟當成IDE用,看/dev下的裝置,都是/dev/hd開頭,查了久的文章,才確認解決方式,
1.開機進grub單次開機編輯,在kernel那行最後面加 ide0=noprobe ide1=noprobe ...依此類推.
2.如果開機後查看以變成/dev/sdX,那就成功了,接下來vi /etc/grub.conf把設定真正寫入吧!
二.Advanced Host Controller Interface(AHCI)開啟
Native Command Queuing(NCQ)效能增強功能需要有 AHCI 及系統驅動程式來運作,
其好處最明顯用於新型號 SSD(固態硬碟)當CPU頻繁時有效達到更高傳輸效能.
因為安裝時我沒開啟AHCI,因此得對initrd做手腳,不然BIOS一開啟AHCI,系統就開不起來了.
1.在主機板(BIOS)未啟動AHCI時, 正常起動 Linux 載入系統.
2.編輯 /etc/modprobe.conf,設定 scsi_hostadapter 模式
在下列一行後
alias scsi_hostadapter ata_piix
新增一行內容
alias scsi_hostadapter2 ahci
3.修改Init ram disk,在開機時載入AHCI
mkdir /boot/AHCI
mkinitrd --preload ahci --force-scsi-probe /boot/AHCI/initrd-`uname -r`.img `uname -r`
4.修改 boot-loader grub 載入新的ram disk,注意img名稱是否正確
initrd /AHCI/initrd-2.6.18-194.32.1.el5PAE.img
首先先談到我的HP電腦在裝CentOS 5.2,光碟一開機便出現ata_piix no available legacy port,完全無法安裝.
隨後改用CentOS 5.5裝,可以安裝了!
但是裝完系統運作非常慢,每秒只有4MB/s,查看後發現系統把SATA硬碟當成IDE用,看/dev下的裝置,都是/dev/hd開頭,查了久的文章,才確認解決方式,
1.開機進grub單次開機編輯,在kernel那行最後面加 ide0=noprobe ide1=noprobe ...依此類推.
2.如果開機後查看以變成/dev/sdX,那就成功了,接下來vi /etc/grub.conf把設定真正寫入吧!
二.Advanced Host Controller Interface(AHCI)開啟
Native Command Queuing(NCQ)效能增強功能需要有 AHCI 及系統驅動程式來運作,
其好處最明顯用於新型號 SSD(固態硬碟)當CPU頻繁時有效達到更高傳輸效能.
因為安裝時我沒開啟AHCI,因此得對initrd做手腳,不然BIOS一開啟AHCI,系統就開不起來了.
1.在主機板(BIOS)未啟動AHCI時, 正常起動 Linux 載入系統.
2.編輯 /etc/modprobe.conf,設定 scsi_hostadapter 模式
在下列一行後
alias scsi_hostadapter ata_piix
新增一行內容
alias scsi_hostadapter2 ahci
3.修改Init ram disk,在開機時載入AHCI
mkdir /boot/AHCI
mkinitrd --preload ahci --force-scsi-probe /boot/AHCI/initrd-`uname -r`.img `uname -r`
4.修改 boot-loader grub 載入新的ram disk,注意img名稱是否正確
initrd /AHCI/initrd-2.6.18-194.32.1.el5PAE.img
Security implications of using SSH on iSeries
Security implications of using SSH on iSeries
http://archive.midrange.com/security400/200609/msg00048.html
External links
* PDF of Securing Communications with OpenSSH on IBM i5/OS (redp4163) at IBM Redpapers
* LPO 5733-SC1 -- IBM Portable Utilities for i
* How to set up SSH client on iSeries for password-less connections from midrange-l
* SSHSetup at YiPs Wiki
Using the iSeries SSH clientThese are instructions on how to use the system i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.
Your local system i process will run as user RUSER.
System RequirementsFull instructions can be found here http://www.ibm.com/servers/enable/site/porting/tools/.
* Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 5722SS1 option 33.
* See also #External links for the IBM Redbook.
Setting up the user profileAssuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.
CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER')
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR)
If the home directory already exists, please run
CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL)
Create the .ssh subdirectory:
MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR)
Getting and storing the remote server public keyLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Start the PASE shell
CALL QP2TERM
Execute this shell command
ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts
Now you need to set up your own key pair.
Setting up your public and private key pairLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Self Creation of keysStart the PASE shell
CALL QP2TERM
Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".
ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa
Send the public key from file "~/.ssh/id_rsa.pub" to your customer. ( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
Using a key issued by someone elseYour business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.
Copying files with SCPTo copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)
To run batch file transfer via scp, create a script file like this (called examplescp.sh)
#! /QopenSys/bin/sh
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)
Copying files with SFTPWe want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.
Create a text file called ssh-input.txt that contains:
get IN/*.xml /b2b/incoming
rm IN/*.xml
exit
To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)
#! /QopenSys/bin/sh
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)
Placing your own public key on the remote serverSometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.
Start the PASE shell
CALL QP2TERM
Connect to the remote server using your password.
sftp yourRemoteUser@your.customer.com
Check to see if there is a .ssh folder in your home directory.
dir .ssh
If it does not exist , create it now, and switch to it.
mkdir .ssh
cd .ssh
If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:
put ~/.ssh/id_rsa.pub authorized_keys
Setting up an iSeries SSHD serverhttp://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html
To run the sshd daemon on i5/OS:
* The userid that starts the daemon must have *ALLOBJ special authority
* The userid that starts the daemon must be 8 or fewer characters long
* Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""
* You can start the sshd daemon with either one of these CL commands:
QSH CMD ('/QOpenSys/usr/sbin/sshd')
CALL PGM(QP2SHELL) PARM('/QopenSys/usr/sbin/sshd')
With IBM i 6.1 you can also use STRTCPSVR *SSHD
javascript:void(0)
* You can stop the sshd daemon at V5R4 by starting the PASE command shell:
CALL PGM(QP2SHELL)
(then issue the command to show active processes)
ps ax
(Find the PID number of the process for ssh and issue the kill command, if the PID is 1234...)
kill 1234
The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:
* The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check theAllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
* The PermitRootLogin directive allows QSECOFR to login via SSH
http://archive.midrange.com/security400/200609/msg00048.html
External links
* PDF of Securing Communications with OpenSSH on IBM i5/OS (redp4163) at IBM Redpapers
* LPO 5733-SC1 -- IBM Portable Utilities for i
* How to set up SSH client on iSeries for password-less connections from midrange-l
* SSHSetup at YiPs Wiki
Using the iSeries SSH clientThese are instructions on how to use the system i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.
Your local system i process will run as user RUSER.
System RequirementsFull instructions can be found here http://www.ibm.com/servers/enable/site/porting/tools/.
* Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 5722SS1 option 33.
* See also #External links for the IBM Redbook.
Setting up the user profileAssuming that the user profile to be used is RUSER, you need to set up some folders with the correct permissions.
CHGUSRPRF USRPRF(RUSER) HOMEDIR('/home/RUSER')
MKDIR DIR('/home') DTAAUT(*EXCLUDE) OBJAUT(*NONE)
MKDIR DIR('/home/RUSER') DTAAUT(*INDIR) OBJAUT(*INDIR)
If the home directory already exists, please run
CHGAUT OBJ('/home/RUSER') USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJAUT(*NONE) SUBTREE(*ALL)
Create the .ssh subdirectory:
MKDIR DIR('/home/RUSER/.ssh') DTAAUT(*INDIR) OBJAUT(*INDIR)
Getting and storing the remote server public keyLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Start the PASE shell
CALL QP2TERM
Execute this shell command
ssh-keyscan -t rsa your.customer.com >> ~/.ssh/known_hosts
Now you need to set up your own key pair.
Setting up your public and private key pairLog in as user RUSER. You can use a security officer account instead, but then you will have to reset the permissions and file ownership back to RUSER.
Self Creation of keysStart the PASE shell
CALL QP2TERM
Create the appropriate private/public keys with the ssh-keygen tool using an EMPTY passphrase, and place it in the default location in file "~/.ssh/id_rsa".
ssh-keygen -b 1024 -f ~/.ssh/id_rsa -t rsa
Send the public key from file "~/.ssh/id_rsa.pub" to your customer. ( The public key is added by the sever admin to "~/.ssh/authorized_keys" file on the SSH server.)
Using a key issued by someone elseYour business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.
Copying files with SCPTo copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
(replace "id_rsa" with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)
To run batch file transfer via scp, create a script file like this (called examplescp.sh)
#! /QopenSys/bin/sh
scp -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com:IN/*.xml /b2b/incoming
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplescp.sh')) JOB(SSHJOB) USER(RUSER)
Copying files with SFTPWe want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.
Create a text file called ssh-input.txt that contains:
get IN/*.xml /b2b/incoming
rm IN/*.xml
exit
To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)
#! /QopenSys/bin/sh
sftp –b ssh-input.txt -o IdentityFile=~/.ssh/id_rsa yourRemoteUser@your.customer.com
exit
Execute it in batch via command
SBMJOB CMD(CALL PGM(QP2SHELL) PARM('/folderpath/examplesftp.sh')) JOB(SSHJOB) USER(RUSER)
Placing your own public key on the remote serverSometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?). You also need write permissions you your home directory, and hopefully it does not have any public authority.
Start the PASE shell
CALL QP2TERM
Connect to the remote server using your password.
sftp yourRemoteUser@your.customer.com
Check to see if there is a .ssh folder in your home directory.
dir .ssh
If it does not exist , create it now, and switch to it.
mkdir .ssh
cd .ssh
If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:
put ~/.ssh/id_rsa.pub authorized_keys
Setting up an iSeries SSHD serverhttp://www-03.ibm.com/servers/enable/site/porting/tools/openssh.html
To run the sshd daemon on i5/OS:
* The userid that starts the daemon must have *ALLOBJ special authority
* The userid that starts the daemon must be 8 or fewer characters long
* Before starting sshd for the first time, you will need to generate host keys:
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""
* You can start the sshd daemon with either one of these CL commands:
QSH CMD ('/QOpenSys/usr/sbin/sshd')
CALL PGM(QP2SHELL) PARM('/QopenSys/usr/sbin/sshd')
With IBM i 6.1 you can also use STRTCPSVR *SSHD
javascript:void(0)
* You can stop the sshd daemon at V5R4 by starting the PASE command shell:
CALL PGM(QP2SHELL)
(then issue the command to show active processes)
ps ax
(Find the PID number of the process for ssh and issue the kill command, if the PID is 1234...)
kill 1234
The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:
* The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check theAllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
* The PermitRootLogin directive allows QSECOFR to login via SSH
Samba on AIX 5.3
Here are instructions on how to get the pware Samba running on AIX 5.3.
1. Install these packages from the AIX installation CD:
ldap.client.rte
ldap.client.adt
2. Download these packages:
mkdir pware-samba
cd pware-samba
xargs wget -nd << EOF
http://pware.hvcc.edu/download/aix53-64/pware53-64.samba.3.4.2.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.base.5.3.0.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.cyrus-sasl.2.1.22.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.gettext.0.17.0.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.krb5.1.6.3.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.libiconv.1.13.1.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.ncurses.5.7.0.1.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.openldap.2.4.19.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.openssl.0.9.8.11.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.popt.1.10.4.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.bdb.4.7.25.4.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.rsync.3.0.6.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.zlib.1.2.3.0.bff.gz
EOF
server:root>for i in *.gz; do gunzip $i; done
From: http://pware.hvcc.edu/download/aix53-64/
3. Install the packages.
The installed files go under /opt/pware64
Samba configuration file is /opt/pware64/lib/smb.conf
4. Extremely simple Samba configuration file:
[global]
workgroup = MYGROUP
log file = /var/log/%m.log
max log size = 500
[myshare]
comment = Sample share
path = /tmp/myshare
public = yes
writable = yes
browseable = yes
5. Enable POSIX Asynchronous IO if needed:
server:root>mkdev -l posix_aio0
posix_aio0 Available
server:root>lsdev -Cc posix_aio
posix_aio0 Available Posix Asynchronous I/O
The posix_aio device is needed, otherwise all binaries will complain somewhat like this:
exec(): 0509-036 Cannot load program ./smbclient because of the following errors:
0509-130 Symbol resolution failed for /usr/lib/libc.a[posix_aio_64.o] because:
0509-136 Symbol _posix_kaio_rdwr64 (number 2) is not exported from
dependent module /unix.
0509-136 Symbol _posix_listio64 (number 3) is not exported from
dependent module /unix.
0509-136 Symbol _posix_acancel64 (number 4) is not exported from
dependent module /unix.
0509-136 Symbol _posix_iosuspend64 (number 5) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait (number 6) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait64 (number 7) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait_timeout (number is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait_timeout64 (number 9) is not exported from
dependent module /unix.
0509-136 Symbol _posix_iofsync64 (number 10) is not exported from
dependent module /unix.
0509-026 System error: Error 0
0509-192 Examine .loader section symbols with the
'dump -Tv' command.
So if you run into this error message, create the POSIX AIO device.
6. Run samba
server:root>/opt/pware64/sbin/smbd
server:root>/opt/pware64/sbin/nmbd
7. Add to inittab for automatic start at boot time
server:root>mkitab nmbd:2:once:/opt/pware64/sbin/nmbd
server:root>mkitab smbd:2:once:/opt/pware64/sbin/smbd
1. Install these packages from the AIX installation CD:
ldap.client.rte
ldap.client.adt
2. Download these packages:
mkdir pware-samba
cd pware-samba
xargs wget -nd << EOF
http://pware.hvcc.edu/download/aix53-64/pware53-64.samba.3.4.2.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.base.5.3.0.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.cyrus-sasl.2.1.22.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.gettext.0.17.0.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.krb5.1.6.3.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.libiconv.1.13.1.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.ncurses.5.7.0.1.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.openldap.2.4.19.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.openssl.0.9.8.11.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.popt.1.10.4.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.bdb.4.7.25.4.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.rsync.3.0.6.0.bff.gz
http://pware.hvcc.edu/download/aix53-64/pware53-64.zlib.1.2.3.0.bff.gz
EOF
server:root>for i in *.gz; do gunzip $i; done
From: http://pware.hvcc.edu/download/aix53-64/
3. Install the packages.
The installed files go under /opt/pware64
Samba configuration file is /opt/pware64/lib/smb.conf
4. Extremely simple Samba configuration file:
[global]
workgroup = MYGROUP
log file = /var/log/%m.log
max log size = 500
[myshare]
comment = Sample share
path = /tmp/myshare
public = yes
writable = yes
browseable = yes
5. Enable POSIX Asynchronous IO if needed:
server:root>mkdev -l posix_aio0
posix_aio0 Available
server:root>lsdev -Cc posix_aio
posix_aio0 Available Posix Asynchronous I/O
The posix_aio device is needed, otherwise all binaries will complain somewhat like this:
exec(): 0509-036 Cannot load program ./smbclient because of the following errors:
0509-130 Symbol resolution failed for /usr/lib/libc.a[posix_aio_64.o] because:
0509-136 Symbol _posix_kaio_rdwr64 (number 2) is not exported from
dependent module /unix.
0509-136 Symbol _posix_listio64 (number 3) is not exported from
dependent module /unix.
0509-136 Symbol _posix_acancel64 (number 4) is not exported from
dependent module /unix.
0509-136 Symbol _posix_iosuspend64 (number 5) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait (number 6) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait64 (number 7) is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait_timeout (number is not exported from
dependent module /unix.
0509-136 Symbol _posix_aio_nwait_timeout64 (number 9) is not exported from
dependent module /unix.
0509-136 Symbol _posix_iofsync64 (number 10) is not exported from
dependent module /unix.
0509-026 System error: Error 0
0509-192 Examine .loader section symbols with the
'dump -Tv' command.
So if you run into this error message, create the POSIX AIO device.
6. Run samba
server:root>/opt/pware64/sbin/smbd
server:root>/opt/pware64/sbin/nmbd
7. Add to inittab for automatic start at boot time
server:root>mkitab nmbd:2:once:/opt/pware64/sbin/nmbd
server:root>mkitab smbd:2:once:/opt/pware64/sbin/smbd
Mounting Windows filesystems from AIX 5.3
First, you must install fileset bos.cifs_fs.rte, and optionally bos.cifs_fs.smit for the Smitty interface, from the installation DVD.
To invoke the Smitty interface, run:
root# smitty cifs_fs
The Smitty interface will enable you to do almost anything you need with the CIFS filesystem.
For people aligned the command line way, mounting a share is a two-phase process. First, credentials must be added to the /etc/cifs_fs/cifscred file. After that, you can mount a remote CIFS file system using the credentials specified. You could do the whole thing from the command line, but this is the preferred method in my opinion.
SMBFS can store server/user/password credentials in the /etc/cifs_fs/cifscred file to allow automatic retrieval of passwords when mounting SMBFS. Credentials can be added, changed, and removed from this file with the mkcifscred, chcifscred, and rmcifscred commands.
To add a credential:
root# mkcifscred -h -u -p
Use the mkcifsmnt, chcifsmnt, rmcifsmnt, and lscifsmnt commands to add, change, remove, and list, respectively, cifs stanzas in /etc/filesystems.
To mount a file system:
root# mkdir -p /mount/point
root# mkcifsmnt -f /mount/point -h -d -c -w
That will add a new stanza to /etc/filesystems:
/mount/point:
dev =
vfs = cifs
nodename =/<:user>
mount = false
options = wrkgrp=
account = false
Automatical mounting during startup can be specified with the -A option to mkcifsmnt. You can give your mounted share a different set of permissions and owners with the -u, -g and the -x options.
To invoke the Smitty interface, run:
root# smitty cifs_fs
The Smitty interface will enable you to do almost anything you need with the CIFS filesystem.
For people aligned the command line way, mounting a share is a two-phase process. First, credentials must be added to the /etc/cifs_fs/cifscred file. After that, you can mount a remote CIFS file system using the credentials specified. You could do the whole thing from the command line, but this is the preferred method in my opinion.
SMBFS can store server/user/password credentials in the /etc/cifs_fs/cifscred file to allow automatic retrieval of passwords when mounting SMBFS. Credentials can be added, changed, and removed from this file with the mkcifscred, chcifscred, and rmcifscred commands.
To add a credential:
root# mkcifscred -h
Use the mkcifsmnt, chcifsmnt, rmcifsmnt, and lscifsmnt commands to add, change, remove, and list, respectively, cifs stanzas in /etc/filesystems.
To mount a file system:
root# mkdir -p /mount/point
root# mkcifsmnt -f /mount/point -h
That will add a new stanza to /etc/filesystems:
/mount/point:
dev =
vfs = cifs
nodename =
mount = false
options = wrkgrp=
account = false
Automatical mounting during startup can be specified with the -A option to mkcifsmnt. You can give your mounted share a different set of permissions and owners with the -u
新增RHCSA認證
為了怕一時忘記相關說明,要找找不到,先放到部落格好了.
話說,新的名稱比較貼進於工作內容與事實,也因此多了一張證照.^_^
美國Red Hat公司已於2010年11月10日公告RHEL 6新版本正式上市。詳細Red Hat Enterprise Linux 6(RHEL 6) 介紹,請參考原廠網站:
http://press.redhat.com/2010/11/11/introducing-the-red-hat-certified-system-administrator-rhcsa-certification/
另外,因應RHEL6 上市,Red Hat將公司更新的RHCE新認證制度,自RHEL 6版本起,新增RHCSA認證取代原來的RHCT認證。自RHEL6起的版本,若欲考取RHCE認證,需要依據新認證制度規定通過 RHCSA(Ex200)與RHCE(Ex300)兩科認證考試方能取得RHCE認證。
恆逸特地整理出新舊版認證差異重點與相關建議供您參考了解:
1. 如果您持有的是RHEL 4 版本的RHCE認證
依據Red Hat原來的認證制度規定,新版上市後60天,舊版本將被淘汰,隨著新版本RHEL6 上市後會被淘汰的認證版本是RHEL 4版本,預計淘汰日期為2011年1月9日。對於持有RHEL4舊版本認證的顧客,恆逸給您的建議是,最省錢的方式,是趁著RHEL5考試還可以考的時間,趕快升級RHEL5 版本考試取得認證,欲取得RHEL 5版本的RHCE認證只需要通過一科考試(考試科目代碼RH302),RHEL 5認證有效期可至下一新版本RHEL 7上市後60天。(依據原廠慣例,每一版本更新時間約是1.5-2年之間)恆逸RHEL4舊生升級RHEL5可享有報名與考試最優惠,請洽詢您的所屬業務了解報名優惠細節。
2. 若您已經考過RHEL5版本認證
RHEL 5的認證目前仍是有效版本認證。您可選擇馬上升級RHEL 6新版本認證或者等到RHEL7 出版後再升級新認證,保持認證資格有效性。
3. 新版RHCSA認證將取代RHCT認證嗎?
是的。依據Red Hat的官方說明,RHCSA將取代RHCT認證,RHCSA –原文Red Hat Certified System Administrator (RHCSA) ,這個新認證將成為RHCE核心認證,RHEL6版本起,要取得RHCE都必須要有RHCSA認證才可完成認證取得。新認證制度規定,每一認證有效期限為三年。
4. 新的認證有時效的限制嗎?
有的,依據新的認證規定,RHCSA或RHCE認證有效期限為三年。若是再認證有效期內通過更高階的認證考試,則認證有效期會自動延長三年。舉例說明 2011年1月20日考到RHCSA認證,認證有效期至2014年1月19日,又於2011年3月20日考過RHCE,則原來的RHCSA認證自動延長至 2014年3月19日。
5. 如果我是RHEL4版本的RHCE,是否會影響我現在正在準備RHCA的考試?
因為RHEL 4 預計於2011年1月9日淘汰,而依據RHCA考試規定,必須要是Current RHCE,建議您可於RHEL 4淘汰前趕快把RHCA相關考試考完,完成RHCA認證取得。超過2011年1月9日之後,就需要再加考RHEL5或RHEL6 取得有效中的RHCE資格了。
6. 請問RHCSA考試價格是多少?
台灣地區考試費用尚未訂出,相關課程或考試訂出後,恆逸將另行通知。請您留意網站公告或者UCOM Express電子報。
HTC Desire HD 惱人問題解決
HTC Desire HD 使用了數個月,今天終於解決了三個Bug.
1.手機軟體運行變的很慢.CPU偶爾被吃光.
Ans:設定-->應用程式-->開發-->把USB除錯"打開". 手機軟體運作就不再緩慢了.
2.臺灣地圖無法顯示,地圖一片黃,但別的國家地圖下載後確能正常顯示.
Ans:設定,將SD格式化,location重新安裝.
個人歸咎於出廠代理商對SD copy技術和Route66的保護技術沒有匹配所致.
3.透過手機讓電腦上網用完後,無線網路會無法正常運作.
Ans:只能將手機"重新啟動".快速開/關機不能解決此一問題.
看起來route table或是手機和無線網路DHCP同時發會造成問題,所以即便重新Get IP後,無線網路仍不能運作,反應後它們說測不出此問題.原因我不確定,但實際上是存在此一問題的.
我真的要痛罵HTC客服,客服電話我打過不下10通,
移除安裝,重新下載,出廠預設....甚麼都試,拖超過2個月,不能解,
這種問題要客戶自己找Google解決,反應又不處理,HTC加油吧!
可以參考我的解決SOP,但請記得發薪水給我.
1.手機軟體運行變的很慢.CPU偶爾被吃光.
Ans:設定-->應用程式-->開發-->把USB除錯"打開". 手機軟體運作就不再緩慢了.
2.臺灣地圖無法顯示,地圖一片黃,但別的國家地圖下載後確能正常顯示.
Ans:設定,將SD格式化,location重新安裝.
個人歸咎於出廠代理商對SD copy技術和Route66的保護技術沒有匹配所致.
3.透過手機讓電腦上網用完後,無線網路會無法正常運作.
Ans:只能將手機"重新啟動".快速開/關機不能解決此一問題.
看起來route table或是手機和無線網路DHCP同時發會造成問題,所以即便重新Get IP後,無線網路仍不能運作,反應後它們說測不出此問題.原因我不確定,但實際上是存在此一問題的.
我真的要痛罵HTC客服,客服電話我打過不下10通,
移除安裝,重新下載,出廠預設....甚麼都試,拖超過2個月,不能解,
這種問題要客戶自己找Google解決,反應又不處理,HTC加油吧!
可以參考我的解決SOP,但請記得發薪水給我.