WARNING!
Let me make this perfectly clear! The procedure that is shown below is
NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT
contact IBM support for help. They will not be able to assist you. They
will ask you to change the nimsh port numbers back to the defaults. They
will ask you to change your SAP application to use a different port
number. YOU HAVE BEEN WARNED!
Here’s a problem I’ve encountered more than once.
Someone
installs SAP onto an AIX system and decides to use TCP port 3901 as an
SAP service port. This is the same port used by nimsh. In some rare
cases, nimsh may not be active on the LPAR, which makes it easy for the
SAP installation to hijack port 3901. If nimsh is active, the person
installing SAP may consciously stop nimsh and use port 3901 for SAP
anyway. Hopefully that doesn’t happen. Hopefully, they will talk to the
AIX administrator and discuss the best way forward. Hopefully...
In
either case, if the port is taken by SAP, nimsh will no longer work. If
you love using NIM as much as I do, this is a real problem! We could
revert back to using rsh but no-one will do this anymore because of
concerns around security. And rightfully so!
The
ports used by nimsh (3901 and 3902) are registered to Internet Assigned
Number Authority (IANA). These port numbers appear in the
/etc/services file.
nimsh 3901/tcp # NIM Service Handler
nimsh 3901/udp # NIM Service Handler
nimaux 3902/tcp # NIMsh Auxiliary Port
nimaux 3902/udp # NIMsh Auxiliary Port
Considering
these port numbers are registered with IANA, we can usually persuade
our SAP colleagues to change their SAP installation to use a different
port number. However, depending on the skills/experience of the SAP
resource, one of two things usually happens 1) They take an outage,
re-install SAP and choose a different port number or 2) The more experienced/confident SAP basis resource will take an outage and modify the instance to use a different port: without reinstalling SAP.
Perhaps
SAP need to include a warning in their install notes, advising
customers not to use port 3901 on AIX systems (i.e. best practice)?
Now, if you must change nimsh to use a different port number, it is possible. But not recommended.
WARNING!
Let me make this perfectly clear! The procedure that is shown below is
NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT
contact IBM support for help. They will not be able to assist you. They
will ask you to change the nimsh port numbers back to the defaults. They
will ask you to change your SAP application to use a different port
number. YOU HAVE BEEN WARNED!
To
do this, you must change the /etc/services file on the NIM master and
the NIM client to reflect the same port numbers for nimsh. This will
work until the NIM master or the NIM client have their services file
overwritten by way of install or fileset updates. After which, the
default values for nimsh will be reinstated.
You would also need to change the services file on all
of your NIM clients. Every time you performed a NIM fileset update, you
would need to remember to change the /etc/services file again. This is
painful and bound to catch someone out eventually!
In the following example I’ll demonstrate how to change the port number used by nimsh.
We start with a typical nimsh configuration using port 3901. On the NIM client, nimsh is listening on port 3901.
nimaix / # lsof -i tcp:3901
Value of I :77 np:0
COMMAND
PID USER FD
TYPE
DEVICE SIZE/OFF NODE NAME
nimsh 2883740 root 4u IPv6 0xf1000e0006f843b0 0t0 TCP *:nimsh (LISTEN)
On the NIM master we can connect to the NIM client on port 3901.
nimmast / # nim -o lslpp nimaix | head -10
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser
ICU4C.rte 6.1.4.0 COMMITTED International Components for
Unicode
6.1.4.1 COMMITTED International Components for
Unicode
6.1.6.0 COMMITTED International Components for
Unicode
...
The /etc/services file on both the NIM client and the master have the same port number for nimsh.
nimmast / # grep nimsh /etc/services
nimsh 3901/tcp # NIM Service Handler
nimsh 3901/udp # NIM Service Handler
nimaix / # grep nimsh /etc/services
nimsh 3901/tcp # NIM Service Handler
nimsh 3901/udp # NIM Service Handler
To change the port number for nimsh, first we select an unused port number, in this case 39011.
nimaix / # lsof -i tcp:39011
Value of I :77 np:0
We update the /etc/services file on the master and the client to reflect the new port number.
nimaix / # grep nimsh /etc/services
#nimsh 3901/tcp # NIM Service Handler
#nimsh 3901/udp # NIM Service Handler
nimsh 39011/tcp # NIM Service Handler
nimsh
39011/udp
# NIM Service Handler
nimmast / # grep nimsh /etc/services
#nimsh 3901/tcp # NIM Service Handler
#nimsh 3901/udp # NIM Service Handler
nimsh 39011/tcp # NIM Service Handler
nimsh 39011/udp # NIM Service Handler
We stop and start nimsh on the client and confirm that nimsh is now listening on the new port number, 39011.
nimaix / # stopsrc -s nimsh
0513-044 The nimsh Subsystem was requested to stop.
nimaix / # startsrc -s nimsh
0513-059 The nimsh Subsystem has been started. Subsystem PID is 2883742.
nimaix / # lsof -i tcp:39011
Value of I :77 np:0
COMMAND
PID USER FD
TYPE
DEVICE SIZE/OFF NODE NAME
nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)
From the NIM master we connect to the NIM client using the nim command.
nimmast / # nim -o lslpp nimaix | head -10
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser
ICU4C.rte 6.1.4.0 COMMITTED International Components for
Unicode
6.1.4.1 COMMITTED International Components for
Unicode
6.1.6.0 COMMITTED International Components for
Unicode
....
We can confirm that we have connected to the NIM client on port 39011 by looking at the output from lsof and netstat. There is a TCP session established between the master and the client on port 39011.
nimmast / # lsof -i tcp:39011
Value of I :93 np:0
COMMAND
PID USER FD
TYPE
DEVICE SIZE/OFF NODE NAME
m_showlog 430080 root 8u IPv4 0xf1000700047693b0 0t5 TCP nimmast:1023->nimaix:nimsh (ESTABLISHED)
nimmast / # netstat -na | grep 39011
tcp4 0 0 172.29.144.167.1023 172.29.152.241.39011 ESTABLISHED
nimaix / # lsof -itcp:39011
Value of I :75 np:0
COMMAND
PID USER FD
TYPE
DEVICE SIZE/OFF NODE NAME
nimsh 2293836 root 0u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)
nimsh 2293836 root 1u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)
nimsh 2293836 root 2u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)
nimsh 2293836 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)
nimsh 2293836 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)
nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)
nimsh 2883742 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)
If the /etc/services file on either the NIM client or master is incorrect we would see error messages similar to the following:
0042-006 m_lslpp: (From_Master) connect A remote host refused an attempted connect operation.
nconn: connect() failed, errno is 79nimaix: A remote host refused an attempted connect operation.
Would I recommend this approach? No. This is not a good, permanent solution to the problem.
Do I think IBM would support this configuration? No.
Why
am I writing about it then? Because it might help someone caught in a
bind. You could use this method temporarily until you’ve sorted out your
SAP port problem.
WARNING!
Let me make this perfectly clear! The procedure that is shown above is
NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT
contact IBM support for help. They will not be able to assist you. They
will ask you to change the nimsh port numbers back to the defaults. They
will ask you to change your SAP application to use a different port
number. YOU HAVE BEEN WARNED!
Tags:
nimsh
nim
chris
3901
gibson
aix
sap