Starting with AIX 7.1, CSM is no longer supported or available. It has been replaced by Distributed Systems Managment (DSM).   Section 5.2 of the IBM AIX 7.1 Differences Guide Redbook provides details of the new DSM capabilities.

 

Fortunately DSM still provides access to the dsh command.  I’ve written about how I’ve used this utility in the past. The new dsh command (and other tools) are provided in the new DSM filesets named dsm.core and dsm.dsh.

 

root@nim# lslpp -L dsm*

  Fileset                      Level  State  Type  Description (Uninstaller)

  ----------------------------------------------------------------------------

  dsm.core                   7.1.1.2    A     F    Distributed Systems Management

                                                   Core

  dsm.dsh                    7.1.0.0    C     F    Distributed Systems Management

                                                   Dsh

 

root@nim# lslpp -w /usr/bin/dsh

  File                                        Fileset               Type

  ----------------------------------------------------------------------------

  /usr/bin/dsh                                dsm.dsh               Symlink

 

 

These filesets are NOT installed by default. You must manually install them. They can be found on your AIX 7.1 media.

 

If dsh is something you use, then I recommend you read the section on DSM in the Redbook. Also take a look at section 5.2.7 Using DSM and NIM, in which it describes how you can integrate DSM and NIM and completely automate the installation of AIX:

 

“The AIX Network Installation Manager (NIM) has been enhanced to work with the Distributed System Management (DSM) commands. This integration enables the automatic installation of new AIX systems that are either currently powered on or off.”

 

Although I’ve written about the dsh command before, there’s one usage I’ve not covered.  And that is using dsh to manage users across a group of LPARs. In particular, changing a user’s password.

 

Before I go any further, I should state that for the following to work you must first configure ssh keys on your NIM master (or central mgmt AIX system) so that you can communicate with all of your AIX systems via SSH, as root,  without being prompted for a password. Read my article on dsh to find out how to do this if necessary.

 

In the following example, I use dsh from my NIM master. It is my central point of control for my AIX environment.

 

My ssh keys for root on my NIM master have been generated and distributed to all of my LPARs.

 

root@nim# ssh-keygen -d

Generating public/private dsa key pair.

Enter file in which to save the key (/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /.ssh/id_dsa.

Your public key has been saved in /.ssh/id_dsa.pub.

The key fingerprint is:

ed:18:e9:00:37:13:7c:7c:74:6a:a9:e0:ad:c0:09:a9 root@nim

The key's randomart image is:

+--[ DSA 1024]----+

|     ... .. .    |

|   .  ..o .+     |

|  o . =. .+      |

| . o = = =       |

|E   + o S .      |

|     . + +       |

|      . o .      |

|                 |

|                 |

+-----------------+

 

root@nim# ls -ltra

total 40

-rw-------    1 root     system          214 17 Sep 2010  authorized_keys

drwxr-xr-x    7 root     system         4096 16 Nov 11:43 ..

-rw-r--r--    1 root     system         3615 16 Nov 12:04 known_hosts

-rw-r--r--    1 root     system          601 16 Nov 12:06 id_dsa.pub

-rw-------    1 root     system          672 16 Nov 12:06 id_dsa

drwx------    2 root     system          256 16 Nov 12:06 .

 

On my AIX LPARs, the authorized_keys file has been updated with the public ssh key from my NIM master:

 

root@aixlpar1 [/.ssh]# chmod 600 known_hosts authorized_keys

root@aixlpar1 [/.ssh]# ls -ltr

total 0

-rw-------    1 root     system          406 Sep 29 15:30 known_hosts

-rw-------    1 root     system          601 Nov 16 12:07 authorized_keys

 

root@aixlpar1 [/.ssh]# cat authorized_keys

ssh-dss AAAAB3NzaC1kc3MAAACBAPJpekVQgV2CTu5tCOsukwXwMrkfBabLAN7vwjgPk3S2p65COJkFwaDRWwBoK87cnMrrc7/GuOLdk/RiqYw1K8Z0d9RWnsymYrNm0MBALWioGGXwQ+YlLiYHIQsSArnajZOH6Ye36qz81uWNoj6u4xIxi/iGSYoU4x3UE/c/H833AAAAFQDKEtWVFk3G+KAyxUsI6FcpbJZqDQAAAIAVUVRak/s+X0mMElCaEs8Rh96GDfhorXWV1YzI0nbRo8QX2AMix+3LSdEmYCRn8TYpk1Udln3GG4gzy5oI/3Rd1RTWgAo+067LwytR6IJfwYt219Pwh2ktrm5iZu3c+yDBqQj6hsga2YIun5lxqYFy39CZNtslnR1wTx9uCcYkowAAAIEAuVFTsW9ugVM76CgluspNo0faz9xFo4DCOjCgye+k/ZqSDaNq6Xrvxktw+dkHuKHbhvofPgeiMrlqhdbrE0ovLUr8aadxArRhitnu10CFYbRwlrjAxyAaRwjD2pXG8M3a5D1XXAWDCDm6bEs5yxJqcl1wq+8UAhpKiS5yj2pwApk= root@nim

 

 

On the NIM master, the root user was configured for the DSH environment. The following entry was placed in roots .profile:

 

root@nim# cat /.profile

ENV=$HOME/.kshrc

 

The following entry was placed in roots .kshrc file:

 

root@nim# cat /.kshrc

export DSH_NODE_RSH=/usr/bin/ssh

export DSH_NODE_LIST=/usr/local/etc/nodes

 

A /usr/local/etc/nodes file was created on the NIM master. This file contains a list of each of the nodes that dsh can communicate with from NIM:

 

root@nim# cat /usr/local/etc/nodes

aixlpar1

aixlpar2

aixlpar3

aixlpar4

aixlpar5

aixlpar6

aixlpar7

aixlpar8

aixlpar9

aixlpar10

aixlpar11

 

The first time that the dsh command is run against a new host, the following message will be displayed. dsh uses the FQDN, and the FQDN needs to be added to the known_hosts file for ssh. Therefore you must make an ssh connection first with FQDN to the host:

 

root@nim# dsh uptime

aixlpar1.cg.com.au : Host key verification failed.

dsh:  2617-009 aixlpar1.cg.com.au  remote shell had exit code 255

 

It is necessary to ssh directly to each node using its FQDN. This step is only required once for each node. For example:

 

root@nim# ssh aixlpar1.cg.com.au

The authenticity of host 'aixlpar1.cg.com.au  (172.1.6.17)' can't be established.

RSA key fingerprint is 83:13:1d:cb:97:ee:00:7a:04:75:62:98:bd:e8:30:79.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'aixlpar1.cg.com.au ' (RSA) to the list of known hosts.

Last unsuccessful login: Tue Sep 27 03:04:33 GMT+10:00 2011 on ssh from 172.1.6.15

Last login: Wed Nov 16 12:08:08 GMT+11:00 2011 on /dev/pts/3 from nim

 

 

root@aixlpar1 [/root]# exit

Connection to aixlpar1.cg.com.au  closed.

 

Now we can use the dsh command to run a command across all the nodes defined in the DSH_NODE_LIST. For example, the following command will run the uptime command on all nodes:

 

root@nim# dsh uptime

aixlpar1.cg.com.au :   12:14PM   up 10 days,  22:32,  3 users,  load average: 0.47, 0.53, 0.64

aixlpar2.cg.com.au :   12:14PM   up 21 days,  21:13,  1 users,  load average: 0.11, 0.31, 0.51

aixlpar3.cg.com.au :   12:14PM   up 15 days,  20:33,  5 users,  load average: 0.17, 0.43, 0.54

...etc...

 

With dsh now configured, we can use it to perform several admin tasks from a central location. For example, the following commands will do the following:

 

1.       Create a user, named cg, on all nodes.

2.        Set cg’s password to abc123 using the chpasswd command.

3.        Remove the ADMCHG flag for the user cg. This will stop them from being prompted to change their password on their first login attempt.

 

First I check that user does not exist on the AIX systems.

 

root@nim# dsh lsuser cg

aixlpar1: 3004-687 User "cg" does not exist.

aixlpar2: 3004-687 User "cg" does not exist.

aixlpar3: 3004-687 User "cg" does not exist.

aixlpar4: 3004-687 User "cg" does not exist.

aixlpar5: 3004-687 User "cg" does not exist.

...etc...

 

I create the user with the mkuser command.

 

root@nim# dsh mkuser cg

 

I confirm that the user has been created on all the AIX systems, with the lsuser command.

 

root@nim# dsh lsuser cg

aixlpar1: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

aixlpar2: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

aixlpar3: cg id=204 pgrp=staff groups=staff home=/home/cg shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

 

I set the users password to abc123, using the chpasswd utility. I also remove the ADMCHG flag so that the user is not prompted to change their password on their first logon attempt.

 

root@nim# dsh 'echo cg:abc123 | chpasswd -c'

 

I confirm that I can logon with the new user with the specified password, on one of the AIX LPARs.

 

root@nim# ssh cg@aixlpar1

cg@aixlpar1’s password:

Last login: Thu Mar  1 20:05:01 CST 2012 on /dev/pts/1 from aix71

$ id

uid=204(cg) gid=1(staff)

 

Another nice feature of dsh is the dshbak utility. This utility presents formatted output from the dsh command. For example:

 

root@nim 520 [/.ssh]# dsh errpt | dshbak

HOST: aixlpar1.cg.com.au

------------------------------------

IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION

AA8AB241   1116110811 T O OPERATOR       OPERATOR NOTIFICATION

A6DF45AA   1104135011 I O RMCdaemon      The daemon is started.

2BFA76F6   1104134111 T S SYSPROC        SYSTEM SHUTDOWN BY USER

9DBCFDEE   1104134111 T O errdemon       ERROR LOGGING TURNED ON

 

HOST: aixlpar2.cg.com.au

-------------------------------

IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION

DE9A52D1   1111012611 I S rmt10          AAA1

4865FA9B   1111012211 P H rmt10          TAPE OPERATION ERROR

DE9A52D1   1110233511 I S rmt0           AAA1

4865FA9B   1110225511 P H rmt0           TAPE OPERATION ERROR

DE9A52D1   1109180311 I S rmt0           AAA1

4865FA9B   1109180011 P H rmt0           TAPE OPERATION ERROR

DE9A52D1   1108180411 I S rmt2           AAA1

4865FA9B   1108180211 P H rmt2           TAPE OPERATION ERROR

DE9A52D1   1108165711 I S rmt6           AAA1

4865FA9B   1108165111 P H rmt6           TAPE OPERATION ERROR

A2205861   1102085311 P S SYSPROC        Excessive interrupt disablement time

F7FA22C9   1031134111 I O SYSJ2          UNABLE TO ALLOCATE SPACE IN FILE SYSTEM

DE9A52D1   1030163411 I S rmt0           AAA1

4865FA9B   1030163411 P H rmt0           TAPE OPERATION ERROR

....etc....

 

WARNING: Please be VERY CAREFUL when using the dsh command. Issuing the wrong command can cause damage to all your AIX LPARS!

 

The dsm.dsh package contains the following utilities:

 

# lslpp -f dsm.dsh | grep /usr/bin

                        /usr/bin/dcp -> /opt/ibm/sysmgt/dsm/bin/dcp

                        /usr/bin/dsh -> /opt/ibm/sysmgt/dsm/bin/dsh

                        /usr/bin/dping -> /opt/ibm/sysmgt/dsm/bin/dping

                        /usr/bin/dshbak -> /opt/ibm/sysmgt/dsm/bin/dshbak

 

If you are a fan of the dping command, you are going to be disappointed. Although the command is currently included in the dsm.dsh fileset, it probably won’t be for much longer.

 

The command works, “sort of”:

 

root@nim# dping aixlpar1

aixlpar1: ping (alive)

 

But if you run ‘dping –a’:

 

root@nim# dping -a

dping: 2651-095 CSM license has expired or has not been accepted. Run csmconfig -L if you have installed a new release.

 

According to the developers, dping is no longer supported and will eventually be removed from the DSM package. The response from the  developers was as follows:

"The reason "dping -a" is failing with the license check is because the command is calling “/usr/bin/runact-api –c IBM.DmsCtrl::::isLicenseValid" and the license is not set. So the command fails.  Since CSM is not supported anymore and went end of life. "

“... please consider the dping command as being "deprecated" code pending removal from the dsm.dsh package.”

When I asked why the command was listed in the AIX 7.1 online documentation if it was no longer available, I was informed: “We are  in the process of working with component owner regarding the DOCs and updating them.”. At this stage I’ve not been able to find an alternative command (in AIX). If I find one, I’ll update this post.

 

If you are planning on migrating to AIX 7.1 please be aware that CSM is no longer supported or available with AIX 7.1. CSM is now ‘end of life’.

 

 

http://www.ibmsystemsmag.com/aix/tipstechniques/systemsmanagement/DSH-Simplifies-the-Task-of-Managing-Multiple-Syste/

 

http://www.redbooks.ibm.com/abstracts/sg247910.html?Open

 

http://publib.boulder.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.cmds/doc/aixcmds1/chpasswd.htm

 

Tags:  had not has -l remote accepted. 2651-095 license expired or shell csmconfig admchg 255 aix if new pwdadm installed have exit a release run csm dping chpasswd dsh you code been