IBM Patent Server DCE Userid Creation

Patent Server New Machine Build Process


Making Changes to the Domain Name Server (DNS)

This presumes you are adding a machine to the Patent Server private network, which is 192.168.56.00 through 255. If you're doing another subnet, adjust which files you change accordingly.

As root on the Control Workstation (as0000e1), which is the primary name server for the Patent Server private network.

  1. cd /etc/dns
  2. vi db.patents.ibm.com
    • Add a comment at the top.
    • Most important is to update the serial number of this file, found just below the comments. The line is of the form
                   1998042401      ; serial
      
      and is the 4-digit year, month, day, and sequence number within the day in case there's multiple updates that day. This number is used by secondary name servers to indicate the need to refresh their version of this file. The bigger the number, the newer the file.
    • Add a line or make the change you want, using the existing lines as examples.
  3. vi db.192.168.56
    • Just like above, make a comment in the front of the file.
    • Increment the serial number!!
    • Make the change you want.
  4. Refresh the named daemon with refresh -s named


Defining a Machine to the Network Install Manager (NIM)

Warning! This section is for non-SP/2 nodes only. If this is an SP/2 node, use the normal, SP/2 procedures that are written up in the SP/2 manuals. For example, for as0301e0/1, which is the S70 at frame 3, node 1, when AIX 4.3.2 and PSSP 3.1 was installed on it, you'd type
    spchvgobj -i bos.obj.ssp.432 -p PSSP-3.1 -v aix432 3 1 1
    spbootins -r install 3 1 1 
There's also a "Manual Node Conditioning" process that's too involved to go into now. Just realize that SP/2 nodes are different.

If this machine is already defined to NIM, insure the CPUID is either correct or set to null. A problem arises during the install if you swap one machine for another after it was a NIM client. NIM knows what the old machine's CPUID was and refuses to answer the nimclient requests the new machine makes at the end of the install. The symptoms of this are error messages in the install log on the new machine (viewable by an "alog -t bosinst -o" command), and the NIM resources are not unallocated after the install. To check, as root on the Control Workstation (as0000e1), type

     lsnim -l <machine name>
If you see a "cpuid =" line, then type
     nim -Fo change -a cpuid=   <machine name>
to reset it.

Another potential problem is insuring the network adapter's MAC address is correct. For SP/2 nodes, it's in the SDR. For example, to see what's it is for frame 3, node 1, type

     splstdata -b 3 1 1
and see the "hdw_enet_addr" column.

It's also defined in the NIM definition. Type

     lsnim -l as0301e0
and see the third word of the "if1" field. If it's zero, then it's ok. NIM doesn't know the MAC address for this machine and will accept anybody claiming to be this machine. On the other hand, if the MAC address is wrong, NIM will put the wrong thing in /etc/bootptab when you attempt to install AIX, and the install will never get going.

Assuming the machine isn't defined to NIM yet, to do so, as root on the Control Workstation (as0000e1), which is the NIM server for the original SP/2, and has also been the NIM server for the rest of the Patent Server machines. (See the change Ed Geraghty made to the /usr/lpp/ssp/bin/setup_server script in the unconfig_clients subroutine, to not delete this NIM master's clients when SP/2 changes are made to the SDR.)


Installing AIX from the NIM Server

Warning! Again, this section is for non-SP/2 nodes only. If this is an SP/2 node, use the normal, SP/2 procedures, e.g. use the spmon GUI, select the node, then do a "network-boot" using perspectives.

Logon to root on the Control Workstation (as0000e1). In the /spdata/sys1/install/scripts (or $s1) directory, you'll find a bunch of handy scripts all named do<something>.sh, which all write into a do.log file in the same directory, so refer to the do.log file to see what's been done to the different machines and when.

  1. cd /spdata/sys1/install/scripts, or cd $s1
  2. ./dobosinst.sh <the short I.P. name of the machine you want to install>, e.g. ./dobosinst.sh ar00080e0.
  3. Do whatever's appropriate for the machine type you're installing, to boot from 192.168.56.65.
Remember, the dobosinst.sh script will allocate the defaultbosinst bosinst_data resource, which is at /spdata/sys1/install/bosinst_data/bosinst_data.default. That file specifes If you want something different that the above, unallocate the bosinst_data resource from the NIM machine object before starting the install.


Establish Initial Working Environment

Give root a password!

A fresh AIX install leaves root password-less. Fix that first.

Give root a minimal /.profile and /.kshrc.

/.profile should be
export PATH=$PATH:/local/bin
export ENV=/.kshrc
/.kshrc should be
export PS1="<$(whoami)@$(hostname -s):"'$PWD> '
alias c='echo \\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n;clear'
set -o vi
That's 60 double-backslash-n's. To put these in affect right now, type
   . /.profile
   ksh

Increasing Paging Sizes

Sometimes after installing AIX, the default sizes one gets are too small. Type
    lsps -a
and insure you have at least 512MB. To increase paging space,
    chps -s28 hd6            (28 is the number of PP's to add)
This is what I had to do for the new SP/2 nodes in the second frame. AIX gave me a default of 64MB paging, and with 16MB PP size, this command adds 28*16=448MB more, to give me a total of 512MB paging space. Adjust as appropriate for your situation.

Establish Name Service

To have consistent name service, insure /etc/resolv.conf contains
nameserver 192.168.56.65               <- This should already be there.
nameserver 192.168.56.76               <- Add this line.
search patent.ibm.com patents.ibm.com  <- Replace the domain line with this.


Installing DCE & DFS

To define a machine (e.g. ar0080e0) to DCE & install and configure the DCE & DFS client code,
Logon to root on the Control Workstation (as0000e1).
export target=ar0080e0         or whatever machine you're doing
                               Use as....e0 interface.
dce_login cell_admin
cd /spdata/sys1/install/default/lppsource/scripts/dce  or cd $s2
./mkdceadmin.sh $target $target
Enter cell_admin's password when prompted.
If you get the message
    ./mkdceadmin.sh: host ar0080e0 is already registered... skipping
and you're sure you want to redefine the machine, for example, you may be reinstalling or reconfiguring a machine that at one point was already defined or partially defined, then type
    rmdce -o admin -h $target -F -g all
and rerun the mkdceadmin command above.

  • The mkdceadmin.sh script also adds this new machine principal to the group root_principals, with a
       dcecp -c group add root_principals -member /.../patent.ibm.com/hosts/ar0080e0/self
    
    command. If you ever want to insure all "self" principals are in the root_principals group (perhaps somebody forgot to add one), you can type
       dcecp -c account cat | grep self | xargs -n 1 dcecp -c group add root_principals -member
    
    Now you're ready to install the DCE/DFS code on the client machine. As root on the client machine, type
    mount as0000e1:/spdata/sys1/install /mnt
    
    To install the /local file system, which gives you some local tools including perl, lockdown.sh, et cetera,
    /mnt/default/lppsource/scripts/dce/mklocallv.sh
    zcat /mnt/default/lppsource/scripts/dce/local.tar.Z | tar xvf -
    cp /mnt/default/lppsource/scripts/dce/mkdcecl.pl /tmp
    umount /mnt
    /tmp/mkdcecl.pl
    rm /tmp/mkdcecl.pl
    


    To Install SSH, ADSM, PSSP Client code, and other AIX Filesets, and To Apply Service

    To install sshd, ADSM & and additional AIX filesets, and to apply service (presuming you've done the export target=ar0080e0, or whatever machine you're working with), logon to root on the Control Workstation (as0000e1) and type
    cd /spdata/sys1/install/scripts, or cd $s1
    ./dossh.sh $target
    ./doadsm.sh $target
    ./dogpmbase.sh $target
    
    And if this is not an SP/2 node ('cause SP/2 nodes already have the PSSP client code installed on them) and you want to be able to dsh commands to this machine (currently, the only machines I don't have set up like this, are the 3 machines on the external, Internet network),
    ./dopssp_client.sh $target
         Then do as the script instructs, by scp-ing these 4 files over
            scp /etc/krb.conf       root@$target:/etc/krb.conf
            scp /etc/krb.realms     root@$target:/etc/krb.realms
            scp $target-new-srvtab root@$target:/etc/krb-srvtab
            scp /.klogin            root@$target:/.klogin
    ./doupdateall.sh $target
    
    If this new machine is a new SP/2 node, or you've just installed the PSSP client code as described above, then add this node's I.P. name to the appropriate WCOLL files in the /dishes directory on the Control Workstation. At a minimum, add it to the /dishes/all.all file, so it will be in the set of machines to share the common /etc/rc.local file (see below). If you get the message
    0042-001 nim: processing error encountered on "master":
       ar0080e0.patent.ibm.com: A remote host refused an attempted connect operation.
    0042-006 m_cust: (From_Master) rcmd A remote host refused an attempted connect operation.
    
    then the "shell" service controlled by inetd is disabled by the /local/bin/lockdown.sh script (normally run from crontab). To "rearm" NIM, run /local/bin/rearm-nim.sh as root on the client machine, ar0080e0 in this example.

    If you get the message

    0042-001 nim: processing error encountered on "master":
       rshd: 0826-813 Permission is denied.
    0042-006 m_cust: (From_Master) rcmd Error 0
    
    or
    0042-001 nim: processing error encountered on "master":
       0042-001 m_cust: processing error encountered on "master":
       0042-193 m_nnc_setup: ar0083e0.patent.ibm.com has no entry for as0000e0 in .rhosts or cannot resolve host id
    
    or
    0042-001 nim: processing error encountered on "master":
       rshd: 0826-813 Permission is denied.
    0042-006 m_cust: (From_Master) rcmd The socket name is already in use. 
    
    then check the /.rhosts file on the client machine. Insure it contains
    as0000e0.patent.ibm.com root
    
    if it's an SP/2 node, else
    as0000e1.patent.ibm.com root
    
    if it's not an SP/2 node. Newly-installed SP/2 nodes may get their /.rhosts file wiped out. Other newly-installed machines may have only the as0000e0 line in it.

    And lastly, if you get the message

    0042-001 nim: processing error encountered on "master":
       0042-037 m_allocate: the state of "ar0084e0" prevents this operation
            from succeeding
    
    0042-001 nim: processing error encountered on "master":
       0042-069 m_cust: the cust operation cannot be performed when
            the target has a Cstate of "bos_inst_ready"
    
    then check the client machine's NIM status, with a
    nimclient -l $target
    
    command.  The Cstate line should be
    
       Cstate         = ready for a NIM operation
    
    If it's not, say it still shows
       Cstate         = BOS installation has been enabled
    
    and all the resources from the install are still allocated, then what might have happened is that you've installed AIX on a different computer that NIM thinks $target is. In other words, there used to be a different processor defined to NIM using your I.P. name. If this is the case, you'll see a cpuid line in the lsnim output that is wrong. If you reset that field with a
    nim -Fo change -a cpuid= $target
    or
    $s2/doreset.sh $target
    
    command, and have the client machine contact the NIM master, with say a
    nimclient -d
    
    from the client machine, the cpuid field will get filled in again with something different. If this isn't the case, then check the install log on the client machine via
    alog -t bosinst -o | more
    


    Miscellaneous Tasks.

    To install aixcops & lsattack, login as root on the client machine and type
    1. zcat /local/bin/aixcops-lsattack.tar.Z | tar xvf -
    2. Add these lines to /etc/aliases
      # Aliases to health check distribution list, used by aixcops.
      healthck: jasper@almaden.ibm.com
      
      # Aliases to lsattack distribution list
      security: jcday@almaden.ibm.com, healthck
      
    3. sendmail -bi
    4. Replace the DS line in /etc/sendmail.cf with
      #  The original sendmail.cf had just DS in this line.
      #  I added our mail gateway alias.              RAJ  4/7/1998
      # DS
      DSmailgw.patents.ibm.com
      
    5. To get clean aixcops & lsattack runs,
      touch /etc/security/failedlogin
      touch /usr/adm/sulog
      chsec -f /etc/security/user -s default -a loginretries=5
      chsec -f /etc/security/user -s default -a histsize=4    
      chsec -f /etc/security/user -s default -a maxage=26     
      chsec -f /etc/security/user -s default -a minalpha=1
      chsec -f /etc/security/user -s default -a minother=1
      chsec -f /etc/security/user -s default -a minlen=6  
      chsec -f /etc/security/user -s default -a mindiff=1
      chsec -f /etc/security/user -s default -a maxrepeats=2
      chmod 600 /.rhosts
      
      Also insert these lines in the /etc/motd file.
      *  IBM Business Use Statement:                                                *
      *       IBM's internal systems must be only used for conducting               *
      *       IBM's business or for purposes authorized by IBM management.          *
      *       Use is subject to audit at any time by IBM management.                *
      *                                                                             *
      *     Highest Classification of Data allowed on this system is                *
      *                           UNCLASSIFIED                                      *
      
      Note that the permissions on /etc/motd don't allow write, so as root, you need to force vi to write it with ":x!".

    To link in the /usr/local stuff from DFS,

    • ln -s /dfs/apps/userlocal /usr/local

    Create an /etc/rc.local file

    It's very likely you should use the /etc/rc.local that's on the Control Workstation. That version is shared among the SP/2 nodes as well as almost every other machine on the Patent site. Modify it as appropriate for this new machine, and see the directions in the beginning comments of the file, on how to propogate it to all the machines that share it. Essentially, you use the pcp command to propogate it.

  • Put this at the bottom of /etc/inittab.
    rclocal:2:wait:/etc/rc.local > /dev/console 2>&1
    

    To add the normal automation stuff, presuming of course you've done all of the above steps, as root on the client machine, add these lines to crontab.

    #
    #  Hourly run the lockdown script to insure we stay secure.
    18 * * * * /local/bin/lockdown.sh -quiet >> /tmp/lockdown.log
    #
    #  Nightly resynch if need be, the /local/bin file system.
    37 2 * * * /local/bin/resynch.local.bin.sh > /dev/null 2>&1
    #
    #  Run aixcops monthly & lsattack (quietly, thus the wrapper) daily.
    0 1 28 * * /aixcops/src/aixcops -e -b error -f /aixcops/src/umask.filter -m healthck -d -v 2>&1 >/dev/null
    0 3 * * * /usr/lss/lsattack/lsattack-wrapper
    #
    #  Remove old files, that is, not referenced in 30 days from known temp areas.
    0 2 * * * find /tmp     -atime +30 -exec rm -f {} \\; 2>/dev/null
    0 2 * * * find /var/tmp -atime +30 -exec rm -f {} \\; 2>/dev/null
    

    To keep the clock synchronized (if not already done by the PSSP software),

    • Change the /etc/ntp.conf file. By default, it has "broadcastclient". Replace "broadcastclient" with these two lines
      server 192.168.56.65
      server 192.168.56.76
      
    • chrctcp -a xntpd
    • startsrc -s xntpd


    Shutting Off Extraneous Ports & Turning Off Unneeded Daemons

    To shut off extraneous ports and unneeded daemons, logon to root on the client machine, and run
    /local/bin/lockdown.sh
    
    Note that an hourly call to lockdown.sh was added to crontab in a step above, so you may not want or need to do this now.

    On the other hand, especially if this is a new install, the lockdown.sh script does not shut down currently running daemons, so you'll have for example, sendmail, still running even after running lockdown.sh. So, an easy way to reset everything is to run lockdown.sh once, then

    
    reboot -q
    


    Getting ADSM Nightly Backups Running

    • Contact Darrell Gleddie or Rick Haeckel to get this node defined to the ADSM server. Make note of the new password assigned to this account, typically new4now.
    • Copy /usr/lpp/adsm/bin/dsm.opt from another system. It should contain simply
      SErvername adsmsrv1
      
    • Copy /usr/lpp/adsm/bin/dsm.sys from another system and change the last line, the "Nodename" line, to reflect this node's nodename.
    • Copy /usr/lpp/adsm/bin/inclexcl.dsm from another system and update as appropriate.
    • To satisify the initial password request, which also changes the password to something else and remembers it from now on, type dsmc, then "q b" (short for "query backup"). Of course there'll be nothing backed up yet, but it will prompt you for the password. Type "quit" to exit the ADSM program.
    • Add these lines to crontab.
      #
      # Adsm backup and log cleanup
      35 22 * * * /local/bin/adsm.backup
      
    • Just for your information, it takes about an hour to do the initial backup to ADSM of a newly-installed system.