WARNING! Let me make this perfectly clear! The procedure that is shown below is NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT contact IBM support for help. They will not be able to assist you. They will ask you to change the nimsh port numbers back to the defaults. They will ask you to change your SAP application to use a different port number. YOU HAVE BEEN WARNED!

Here’s a problem I’ve encountered more than once.

Someone installs SAP onto an AIX system and decides to use TCP port 3901 as an SAP service port. This is the same port used by nimsh. In some rare cases, nimsh may not be active on the LPAR, which makes it easy for the SAP installation to hijack port 3901. If nimsh is active, the person installing SAP may consciously stop nimsh and use port 3901 for SAP anyway. Hopefully that doesn’t happen. Hopefully, they will talk to the AIX administrator and discuss the best way forward. Hopefully...

In either case, if the port is taken by SAP, nimsh will no longer work. If you love using NIM as much as I do, this is a real problem! We could revert back to using rsh but no-one will do this anymore because of concerns around security. And rightfully so!

The ports used by nimsh (3901 and 3902) are registered to Internet Assigned Number Authority (IANA). These port numbers appear in the /etc/services file.

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

nimaux 3902/tcp # NIMsh Auxiliary Port

nimaux 3902/udp # NIMsh Auxiliary Port

Considering these port numbers are registered with IANA, we can usually persuade our SAP colleagues to change their SAP installation to use a different port number. However, depending on the skills/experience of the SAP resource, one of two things usually happens 1) They take an outage, re-install SAP and choose a different port number or 2) The more experienced/confident SAP basis resource will take an outage and modify the instance to use a different port: without reinstalling SAP.

Perhaps SAP need to include a warning in their install notes, advising customers not to use port 3901 on AIX systems (i.e. best practice)?

Now, if you must change nimsh to use a different port number, it is possible. But not recommended.

To do this, you must change the /etc/services file on the NIM master and the NIM client to reflect the same port numbers for nimsh. This will work until the NIM master or the NIM client have their services file overwritten by way of install or fileset updates. After which, the default values for nimsh will be reinstated.

You would also need to change the services file on all of your NIM clients. Every time you performed a NIM fileset update, you would need to remember to change the /etc/services file again. This is painful and bound to catch someone out eventually!

In the following example I’ll demonstrate how to change the port number used by nimsh.

We start with a typical nimsh configuration using port 3901. On the NIM client, nimsh is listening on port 3901.

nimaix / # lsof -i tcp:3901

Value of I :77 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2883740 root 4u IPv6 0xf1000e0006f843b0 0t0 TCP *:nimsh (LISTEN)

On the NIM master we can connect to the NIM client on port 3901.

nimmast / # nim -o lslpp nimaix | head -10

Fileset Level State Description

----------------------------------------------------------------------------

Path: /usr/lib/objrepos

Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser

ICU4C.rte 6.1.4.0 COMMITTED International Components for

Unicode

6.1.4.1 COMMITTED International Components for

Unicode

6.1.6.0 COMMITTED International Components for

Unicode

...

The /etc/services file on both the NIM client and the master have the same port number for nimsh.

nimmast / # grep nimsh /etc/services

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

nimaix / # grep nimsh /etc/services

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

To change the port number for nimsh, first we select an unused port number, in this case 39011.

nimaix / # lsof -i tcp:39011

Value of I :77 np:0

We update the /etc/services file on the master and the client to reflect the new port number.

nimaix / # grep nimsh /etc/services

#nimsh 3901/tcp # NIM Service Handler

#nimsh 3901/udp # NIM Service Handler

nimsh 39011/tcp # NIM Service Handler

nimsh 39011/udp # NIM Service Handler

nimmast / # grep nimsh /etc/services

#nimsh 3901/tcp # NIM Service Handler

#nimsh 3901/udp # NIM Service Handler

nimsh 39011/tcp # NIM Service Handler

nimsh 39011/udp # NIM Service Handler

We stop and start nimsh on the client and confirm that nimsh is now listening on the new port number, 39011.

nimaix / # stopsrc -s nimsh

0513-044 The nimsh Subsystem was requested to stop.

nimaix / # startsrc -s nimsh

0513-059 The nimsh Subsystem has been started. Subsystem PID is 2883742.

nimaix / # lsof -i tcp:39011

Value of I :77 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

From the NIM master we connect to the NIM client using the nim command.

nimmast / # nim -o lslpp nimaix | head -10

Fileset Level State Description

----------------------------------------------------------------------------

Path: /usr/lib/objrepos

Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser

ICU4C.rte 6.1.4.0 COMMITTED International Components for

Unicode

6.1.4.1 COMMITTED International Components for

Unicode

6.1.6.0 COMMITTED International Components for

Unicode

....

We can confirm that we have connected to the NIM client on port 39011 by looking at the output from lsof and netstat. There is a TCP session established between the master and the client on port 39011.

nimmast / # lsof -i tcp:39011

Value of I :93 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

m_showlog 430080 root 8u IPv4 0xf1000700047693b0 0t5 TCP nimmast:1023->nimaix:nimsh (ESTABLISHED)

nimmast / # netstat -na | grep 39011

tcp4 0 0 172.29.144.167.1023 172.29.152.241.39011 ESTABLISHED

nimaix / # lsof -itcp:39011

Value of I :75 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2293836 root 0u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 1u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 2u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

nimsh 2293836 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

nimsh 2883742 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

If the /etc/services file on either the NIM client or master is incorrect we would see error messages similar to the following:

0042-006 m_lslpp: (From_Master) connect A remote host refused an attempted connect operation.

nconn: connect() failed, errno is 79nimaix: A remote host refused an attempted connect operation.

Would I recommend this approach? No. This is not a good, permanent solution to the problem.

Do I think IBM would support this configuration? No.

Why am I writing about it then? Because it might help someone caught in a bind. You could use this method temporarily until you’ve sorted out your SAP port problem.

WARNING! Let me make this perfectly clear! The procedure that is shown above is NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT contact IBM support for help. They will not be able to assist you. They will ask you to change the nimsh port numbers back to the defaults. They will ask you to change your SAP application to use a different port number. YOU HAVE BEEN WARNED!