Table of Contents
NIM server initialisation
Installing the required filesets, from base AIX CD
bos.sysmgt.nim.master bos.sysmgt.nim.client bos.sysmgt.nim.spot
Initializing the nim master
Start a simple configuration, with advanced mode, to register the minimum configuration
Using SMIT
smit nim –> Configure the NIM Environment –> Advanced Configuration –> Initialize the NIM Master Only
Or using command line
# nimconfig -a pif_name=en0 -a netname=net_prod -a client_reg=yes -a master_port=1058 -a cable_type='N/A'
To Configure SSL for the NIM Environment
# nimconfig -c
Enable NFSv4
Configuring NIM with NFS V4
Using NFSv4 in your environment provides multiple advantages, such as improved network performance, increased security, firewall configuration (NFSv4 uses single TCP connection to Port 2049 and eliminates the need for having a wide range of ports opened). Another advantage to using NFSv4 is that all exports can be mounted together in a directory tree structure as a part of a pseudo-filesystem, instead of having to mount all exports separately.
Mush have an NFS v4 Domain Name. To verify:
# chnfsdom
If there is no Domain Name set, you need to set it with:
# chnfsdom <domain name>
2. Must have the nfsrgyd daemon active. To verify:
# lssrc –s nfsrgyd Subsystem Group PID Status nfsrgyd nfs 14877168 active
If the subsystem is inactive, you can start it with:
# startsrc –s nfsrgyd 0513-059 The nfsrgyd Subsystem has been started. Subsystem PID is 14877168.
Note: You need to have an NFS domain setup before starting the nfsrgyd daemon.
Changing your NIM Master to NFSv4
The first step in migrating your NIM environment to NFSv4 is to first enable NFSv4 on your NIM Master.
Once that’s determinted, you need to add the information to your NIM Master definition:
# nim –o change –a nfs_domain=<NFS domain name> master
Note: The above command does not only populate the NIM ODM, but it also calls the # chnfsdom <NFS domain name> command afterwards and overwrites the actual NFS Domain name. You need to check carefully for any spelling errors before executing the NIM command if you want to specify an existent NFS domain.
Keep in mind that if your NIM Master is configured to use NFS v4, you can only use NFS v4 compliant NIM resources.
Working with NFSv4 NIM resources
Every NIM resource in your NFSv4 environment needs to be nfs_vers enabled. The first time that you configure NFSv4 on your NIM Master, you will need to add the nfs_vers=4 attribute to all of your existing NIM resources:
NFSv3 lpp_source:
# lsnim -l 7100_05_00_lpp 7100_05_00_lpp: class = resources type = lpp_source arch = power Rstate = ready for use prev_state = ready for use location = /export/lpp_source/7100_05_00_lpp simages = yes alloc_count = 0 server = master
You can change the NFS version of the NIM resource with:
# nim -o change -a nfs_sec=sys -a nfs_vers=4 <NIM resource>
You can then confirm by running the # lsnim -l command again:
NFSv4 lpp_source:
# lsnim -l NFSlpp NFSlpp: class = resources type = lpp_source arch = power Rstate = ready for use prev_state = unavailable for use nfs_vers = 4 location = /export/lpp_source/7100_05_00_lpp alloc_count = 0 server = master
You need to change the version on all of your existing NIM resources.
Once all of your NIM resources are changed to NFSv4, you can use the “-a nfs_vers=4”, together with the “nim –o define” command to define NFSv4 NIM resources.
# nim -o define -t lpp_source -a location=/export/lpp_source/<lpp_source name> -a nfs_vers=4 -a server=master -a source=/dev/cd0 -a packages=all <lpp_source name> # nim –o define –t spot –a server=master –a source=<lpp_source or mksysb> -a location=/export/spot/<name of spot> -a nfs_vers=4 –a auto_expand=yes <SPOT name> # nim –o define –t mksysb –a mk_image=yes –a mksysb_flags=”-i” –a source=<NIM Client> -a location=/export/mksysb/<mksysb name> -a nfs_vers=4 –a server=master <mksysb name>
These options are available in all smitty menus as well. The two attributes you need to change are:
NFS Client Security Method NFS Version Access
Example with SPOT resource creation:
* Resource Name [spot_7231] * Resource Type spot * Server of Resource [master Source of Install Images [L_72_03_01] * Location of Resource [/export/spot/spot_7231 NFS Client Security Method [sys] NFS Version Access [4] EXPAND file systems if space needed? yes Comments [NFSv4 SPOT] installp Flags PREVIEW only? (install operation will NOT occur) no COMMIT software updates? no SAVE replaced files? yes AUTOMATICALLY install requisite software? yes OVERWRITE same or newer versions? no VERIFY install and check file sizes? no
Enable NIM over http
The HTTP protocol provides the following advantages for NIM management:
- All communication occur over a single HTTP port. Hence, the authorization through a firewall is easier to manage.
- AIX installation steps are driven from the client's end, that is, the target system of the installation. Therefore remote access is not required for running the commands.
- NIM or any other products that currently use the client-server model of NFS can easily use HTTP.
- Able to extend the end product to support additional protocols.
Enabling the nimhttp service on the NIM server
# nimconfig -h
Note: The crypto or ssl setting is automatically discovered.
An example of the default httpd.conf configuration file follows:
> cat /httpd.conf # # #http service defines # # service.name=nimhttp # Designates the service name used when discovering the listening port for requests (i.e., nimhttp) # service.log=/var/adm/ras/nimhttp.log #Log of access attempts and equivalent responses. Also useful for debug purposes. # # service.proxy_port= #Designates the service portnumber used when configured as a proxy. # #--------------------------------------------------------------- # http configuration #--------------------------------------------------------------- # document_root=/export/nim/ #Designates the directory to serve files from. # enable_directory_listing=yes #Allow requests for listing served files/directories under the document root. # enable_proxy=no #Enable the webservice to act as a proxy server. # ssl.cert_authority=/ssl_nimsh/certs/root.pem #Designates the file location of the certificate authority used for digital certificate signing. # ssl.pemfile=/ssl_nimsh/certs/server.pem #Designates the file location of the PEM format file which contains both a certificate and private key. #
document_root path
Files that are not defined as resource locations can be accessed by using the HTTP protocol. These files must be located in the path setting of the document_root. The defined document_root path location cannot be modified when the nimhttp service is operational.
The document_root path might contain many directories. When you set the enable_directory_listing option, client requests can travel the document_root path. If the enable_directory_listing option is set to value of no, all files that are used during the installation must be located in the current working directory of the document_root path.
Disabling the nimhttp service on the NIM server
# nimconfig -H
The certificate authority and root Privacy Enhanced Mail (PEM) files used in the nimhttp service can be created by using the existing SSL management option in NIM. To create the ssl.cert_authority and ssl.pemfiles files that are used by the nimhttp service, run the following command on the NIM master:
# nimconfig –c
Note: You do not need to create the ssl.cert_authority and ssl.pemfiles files if these SSL files exist in the current directory.
To check whether the NIM master has been configured for SSL authority before starting the nimhttp service by using the SSL option, run the following command on the NIM master:
# lsnim –a ssl_support
NIM resources that support HTTP access
The following resources can access the http file by using the nimhttp service:
- file_res
- fix_bundle
- installp_bundle
- lpp_source
- script
Log file:
/var/adm/ras/nimhttp.log
Client command
Use 3x - to specify and update using nimhttp
nimclient –o cust –a lpp_source=<obj_name> ---a fixes=update_all
