The AIX Service Update Management Assistant (SUMA), has been available to administrators since the heady days of AIX 5.3, in 2004. It’s now 2018 and SUMA is still here, ready and willing to help administrator’s move “away from the manual task of retrieving maintenance updates from the Web”.
I’ve found the following (old) document (from 2011) to be a great SUMA reference. I highly recommend reading it, particularly if you are new to SUMA and want to get started using the tool, quickly.
Best Practices: Managing AIX Updates using SUMA, NIM, and AIX Service Tools
https://www-304.ibm.com/webapp/set2/sas/f/best/Managing_AIX_Updates_Best_Practices.pdf
“SUMA provides customers with flexible, task-based options allowing them to perform unattended downloads of AIX software updates from the IBM Support Web site, thereby allowing customers to move toward an automatic maintenance strategy which helps reduce the time spent on system administration”.
Another excellent (and very recent) write up on SUMA is available here: https://www.linkedin.com/pulse/do-you-know-what-suma-regarding-aix-power-systems-philippe-herm%C3%A8s/. Written by IBMer, Philippe Hermès, it covers much of what I’m about to discuss here but spends a little more time on connectivity options and verification. Please take the time to read it.
If you’re not currently using SUMA to download AIX fixes (from IBM’s Fix Central website), then the first thing you should do, is verify that your AIX system can access the Fix Central servers on the Internet.
Note: Many admin’s choose to run SUMA (suma) from their NIM master. This is a logical location, from which to run suma, as once the fixes have been downloaded, they can be distributed to NIM clients.
To verify that suma can get through your firewall to the IBM fix servers, run the following command (from the AIX system where you want to download the fixes):
# /usr/esa/bin/verifyConnectivity -tw
Performing Connectivity Verification Test
success Edge_Bulk_Data_1 esupport.ibm.com 129.42.56.189 443
success Edge_Bulk_Data_2 esupport.ibm.com 129.42.54.189 443
success Edge_Bulk_Data_3 esupport.ibm.com 129.42.60.189 443
success Edge_Bulk_Data_4 esupport.ibm.com 2620:0:6c2:200:129:42:60:189 443
success Edge_Bulk_Data_5 esupport.ibm.com 2620:0:6c4:200:129:42:54:189 443
success Edge_Bulk_Data_6 esupport.ibm.com 2620:0:6c0:200:129:42:56:189 443
success Edge_Fix_Repository_1 esupport.ibm.com 129.42.56.189 80
success Edge_Fix_Repository_2 esupport.ibm.com 129.42.54.189 80
success Edge_Fix_Repository_3 esupport.ibm.com 129.42.60.189 80
success Edge_Fix_Repository_4 esupport.ibm.com 2620:0:6c2:200:129:42:60:189 80
success Edge_Fix_Repository_5 esupport.ibm.com 2620:0:6c4:200:129:42:54:189 80
success Edge_Fix_Repository_6 esupport.ibm.com 2620:0:6c0:200:129:42:56:189 80
12 successes
0 failures
Connectivity Verification Test Results: succeeded
If these tests fail, then you may need to work with your network security team to determine why you are unable to access these servers.
The verifyConnectivity command is delivered with the bos.esagent fileset. The command has a bunch of options, which you can use to help troubleshoot connectivity issues to the IBM fix servers.
# lslpp -w /usr/esa/bin/verifyConnectivity
File Fileset Type
----------------------------------------------------------------------------
/usr/esa/bin/verifyConnectivity bos.esagent File
# /usr/esa/bin/verifyConnectivity
This command performs a connectivity verification test for programs that
use IBM Electronic Customer Care. By default, all connectivity points
exercised by ECC on behalf of the programs are tested.
verifyConnectivity -t [-b] [-q] [-f specfile] [-w]
verify connectivity to connect points
verifyConnectivity -l [-f specfile] [-w]
display connect point aliases
verifyConnectivity -p [-f specfile] [-w]
display connect point details (ip, hostname, port, protocol)
verifyConnectivity
verifyConnectivity -h
verifyConnectivity -?
display this message
-h : this (help) message
-? : this (help) message
-l : list connect point aliases
-p : list connect point details (ip, hostname, port, protocol)
-t : perform the connectivity test
-b : list only test failures and summary messages
-q : disable console mode
-f : use a filter file to limit connect points
-w : use a comprehensive list of connect points (recommended with -f)
I usually like to download my fixes to a specific location with suma. So I typically modify the download to suit, as follows.
# suma -D -a DLTarget=/nim/cg/fixes/
# suma -D
DisplayName=
Action=Download
RqType=Latest
RqName=
Repeats=y
DLTarget=/nim/cg/fixes/
NotifyEmail=root
FilterDir=/usr/sys/inst.images
FilterML=
MaxDLSize=-1
Extend=y
MaxFSSize=-1
There’s a known bug with recent AIX levels that can prevent suma from running successfully. If you hit this problem, contact IBM AIX support and request and ifix for this problem (APAR IJ06197)
# suma -x -a RqType=SP -a Action=Download -a FilterML=7200-02 -a RqName=7200-02-01-1731 -a DLTarget=/nim/cg/fixes/7200-02/SPs/7200-02-01
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
Exception in thread "main" java.lang.NullPointerException
at ECCWrapper.orderUpdates(ECCWrapper.java:551)
at ECCWrapper.main(ECCWrapper.java:153)
0500-012 An error occurred attempting to download.
IJ06197: SUMA MAY CAUSE A NULLPOINTEREXCEPTION
http://www-01.ibm.com/support/docview.wss?uid=isg1IJ06197
If yo need help from IBM support, with a SUMA specific issue, please refer to the following Technote for information on debugging and troubleshooting SUMA related issues.
Getting assistance for SUMA errors through AIX Support
https://www-01.ibm.com/support/docview.wss?uid=ibm10719985
Recently, I wanted to download the latest fixes for AIX 7.2 TL2, so I ran the following command to preview the list of latest available fixes. SP2 was the latest available for download.
# suma -x -a Action=Preview -a RqType=Latest -a FilterML=7200-02
****************************************
Performing preview download.
****************************************
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/7200-02-02-1832.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/7200-02-01-1732.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878472.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874962.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874961.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874960.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874959.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878332.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878331.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878330.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878329.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878328.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878327.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878326.bff
…etc…
I did the same (preview) for AIX 7.1 TL5 and found that SP2 was the latest available for download.
# suma -x -a Action=Preview -a RqType=Latest -a FilterML=7100-05
****************************************
Performing preview download.
****************************************
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/7100-05-02-1832.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878474.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U860281.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874813.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874812.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U874811.bff
Download SUCCEEDED: /usr/sys/inst.images/installp/ppc/U878344.bff
…etc…
Then I went ahead and downloaded SP2 for 7200-02.
# suma -x -a RqType=SP -a Action=Download -a FilterML=7200-02 -a RqName=7200-02-02-1832 -a DLTarget=/nim/cg/fixes/7200-02/SPs/7200-02-02
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
Download SUCCEEDED: /nim/cg/fixes/7200-02/SPs/7200-02-02/installp/ppc/7200-02-02-1832.bff
Download SUCCEEDED: /nim/cg/fixes/7200-02/SPs/7200-02-02/installp/ppc/U878472.bff
Download SUCCEEDED: /nim/cg/fixes/7200-02/SPs/7200-02-02/installp/ppc/U874962.bff
Download SUCCEEDED: /nim/cg/fixes/7200-02/SPs/7200-02-02/installp/ppc/U874961.bff
…etc…
With the imminent release of AIX 7.2 TL3, I was patiently waiting for the fixes to become available.
# suma -x -a Action=Preview -a RqType=Latest -a FilterML=7200-03
****************************************
Performing preview download.
****************************************
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
0500-035 No fixes match your query.
Then, September 22nd, they were up on the Fix Central site. So, I downloaded them immediately.
# mkdir -p /nim/cg/fixes/SPs/7200-03/7200-03-01
# suma -x -a RqType=SP -a Action=Download -a FilterML=7200-03 -a RqName=7200-03-01-1838 -a DLTarget=/nim/cg/fixes/SPs/7200-03/7200-03-01
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 22
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/7200-03.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/7200-03-01.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U880578.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U880576.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U880575.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U880577.bff
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U880574.bff
...etc…
Download SUCCEEDED: /nim/cg/fixes/SPs/7200-03/7200-03-01/installp/ppc/U856908.bff
Total bytes of updates downloaded: 5654346752
Summary:
992 downloaded
0 failed
0 skipped
There’s a handy little script, which you can grab here: http://forums.rootvg.net/administration/when-suma-software-is-ready-to-download/, that will check the IBM Fix Central site for the TLs and SPs, that you specify. Then you can either run the command on demand, or schedule it via cron, to check whether the TL or SP (or both) are available for download.
# /nim/cg/fixes/suma_check.ksh
Sat Sep 22 02:16:07 AEST 2018: AIX TL 7200-03: is AVAILABLE for DOWNLOAD.
Sat Sep 22 02:16:07 AEST 2018: AIX SP 7200-03-01: is AVAILABLE for DOWNLOAD.
Sat Sep 22 02:16:07 AEST 2018: AIX SP 7200-02-03: is NOT available for download.
Sat Sep 22 02:16:07 AEST 2018: AIX SP 7100-05-03: is AVAILABLE for DOWNLOAD.
I observed that, whilst suma was running, there were several connections to the external IBM fix servers (visible with lsof). The java process (below) is called by suma to manage the download process(es).
# lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
…etc…
java 11928000 root 96u IPv6 0xf1000f000346e3b8 0t825707 TCP nim1:32816->129.42.60.189:https (ESTABLISHED)
java 11928000 root 103u IPv6 0xf1000f00034d83b8 0t0 TCP nim1:32861->129.42.60.189:http (ESTABLISHED)
java 11928000 root 104u IPv6 0xf1000f000346d3b8 0t0 TCP nim1:32869->129.42.60.189:http (ESTABLISHED)
java 11928000 root 108u IPv6 0xf1000f00034d8bb8 0t0 TCP nim1:32863->129.42.60.189:http (ESTABLISHED)
java 11928000 root 110u IPv6 0xf1000f00034da3b8 0t0 TCP nim1:32868->129.42.60.189:http (ESTABLISHED)
java 11928000 root 112u IPv6 0xf1000f000346ebb8 0t0 TCP nim1:32867->129.42.60.189:http (ESTABLISHED)
java 11928000 root 114u IPv6 0xf1000f000346bbb8 0t0 TCP nim1:32865->129.42.60.189:http (ESTABLISHED)
java 11928000 root 115u IPv6 0xf1000f00034db3b8 0t0 TCP nim1:32870->129.42.60.189:http (ESTABLISHED)
java 11928000 root 117u IPv6 0xf1000f00034dbbb8 0t0 TCP nim1:32852->129.42.60.189:http (ESTABLISHED)
# ps wwwwww | grep 11928000
11928000 pts/0 A 0:12 /usr/java7_64/jre/bin/java -cp /usr/ecc/lib/SystemContext.jar:/usr/ecc/lib/com.ibm.ws.webservices.thinclient_8.5.0.jar:/usr/ecc/lib/SysMgmtCore.jar:/usr/ecc/lib/ConnectivityServices.jar:/usr/ecc/lib/xmldsig.jar:/usr/ecc/lib/TQserrano2.jar:/usr/ecc/lib/UpdateServices.jar:/usr/ecc/lib/ibmxmlcrypto.jar:/usr/ecc/lib/Protocol.jar:/usr/ecc/lib/CommonServices.jar:/usr/ecc/lib/InventoryServices.jar:/usr/ecc/lib/InventoryCollectionClient.jar:/usr/suma/lib/ecc/eccWrapper.jar:/usr/ecc/lib/ESAUtilities_1.0.0.jar ECCWrapper
Note: Make sure you are entitled to download fixes from Fix Central before you start. You must have a valid, up to date, paid for, hardware and software maintenance agreement in place, with IBM. If you attempt to download fixes from a system that is not currently entitled, then suma will report the following message:
# suma -x -a RqType=SP -a Action=Download -a FilterML=7200-03 -a RqName=7200-03-01-1838 -a DLTarget=/cg/7200-03/7200-03-01
Platform Extension: information for proxy SAS not found in repository
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 48
Storing auth proxy creds for SAS
successfully stored auth proxy creds for SAS
Storing auth proxy creds for PROFILE_URIS_LENGTH
successfully stored auth proxy creds for PROFILE_URIS_LENGTH
Storing auth proxy creds for PROFILE_URI_0
successfully stored auth proxy creds for PROFILE_URI_0
0500-059 Entitlement is required to download.
The system's serial number is not entitled.
Please go to the Fix Central website to download fixes.
Unfortunately, many administrators are unable to take advantage of suma, because their network security teams will not provide them the necessary firewall rules to access the external (Internet) servers. This is a shame, as having the ability to either automatically or “on-demand” download fixes, directly to your AIX system is fast and efficient and makes the AIX admin’s job a whole lot easier!