nimsh and SAP (Chris's AIX Blog)

The developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this blog will no longer be available. More details available on our FAQ.

nimsh and SAP

cggibbo June 10 2011 Comments (8) Visits (53561)

0 people like this

WARNING! Let me make this perfectly clear! The procedure that is shown below is NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT contact IBM support for help. They will not be able to assist you. They will ask you to change the nimsh port numbers back to the defaults. They will ask you to change your SAP application to use a different port number. YOU HAVE BEEN WARNED!

Here’s a problem I’ve encountered more than once.

Someone installs SAP onto an AIX system and decides to use TCP port 3901 as an SAP service port. This is the same port used by nimsh. In some rare cases, nimsh may not be active on the LPAR, which makes it easy for the SAP installation to hijack port 3901. If nimsh is active, the person installing SAP may consciously stop nimsh and use port 3901 for SAP anyway. Hopefully that doesn’t happen. Hopefully, they will talk to the AIX administrator and discuss the best way forward. Hopefully...

In either case, if the port is taken by SAP, nimsh will no longer work. If you love using NIM as much as I do, this is a real problem! We could revert back to using rsh but no-one will do this anymore because of concerns around security. And rightfully so!

The ports used by nimsh (3901 and 3902) are registered to Internet Assigned Number Authority (IANA). These port numbers appear in the /etc/services file.

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

nimaux 3902/tcp # NIMsh Auxiliary Port

nimaux 3902/udp # NIMsh Auxiliary Port

Considering these port numbers are registered with IANA, we can usually persuade our SAP colleagues to change their SAP installation to use a different port number. However, depending on the skills/experience of the SAP resource, one of two things usually happens 1) They take an outage, re-install SAP and choose a different port number or 2) The more experienced/confident SAP basis resource will take an outage and modify the instance to use a different port: without reinstalling SAP.

Perhaps SAP need to include a warning in their install notes, advising customers not to use port 3901 on AIX systems (i.e. best practice)?

Now, if you must change nimsh to use a different port number, it is possible. But not recommended.

To do this, you must change the /etc/services file on the NIM master and the NIM client to reflect the same port numbers for nimsh. This will work until the NIM master or the NIM client have their services file overwritten by way of install or fileset updates. After which, the default values for nimsh will be reinstated.

You would also need to change the services file on all of your NIM clients. Every time you performed a NIM fileset update, you would need to remember to change the /etc/services file again. This is painful and bound to catch someone out eventually!

In the following example I’ll demonstrate how to change the port number used by nimsh.

We start with a typical nimsh configuration using port 3901. On the NIM client, nimsh is listening on port 3901.

nimaix / # lsof -i tcp:3901

Value of I :77 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2883740 root 4u IPv6 0xf1000e0006f843b0 0t0 TCP *:nimsh (LISTEN)

On the NIM master we can connect to the NIM client on port 3901.

nimmast / # nim -o lslpp nimaix | head -10

Fileset Level State Description

----------------------------------------------------------------------------

Path: /usr/lib/objrepos

Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser

ICU4C.rte 6.1.4.0 COMMITTED International Components for

Unicode

6.1.4.1 COMMITTED International Components for

Unicode

6.1.6.0 COMMITTED International Components for

Unicode

...

The /etc/services file on both the NIM client and the master have the same port number for nimsh.

nimmast / # grep nimsh /etc/services

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

nimaix / # grep nimsh /etc/services

nimsh 3901/tcp # NIM Service Handler

nimsh 3901/udp # NIM Service Handler

To change the port number for nimsh, first we select an unused port number, in this case 39011.

nimaix / # lsof -i tcp:39011

Value of I :77 np:0

We update the /etc/services file on the master and the client to reflect the new port number.

nimaix / # grep nimsh /etc/services

#nimsh 3901/tcp # NIM Service Handler

#nimsh 3901/udp # NIM Service Handler

nimsh 39011/tcp # NIM Service Handler

nimsh 39011/udp # NIM Service Handler

nimmast / # grep nimsh /etc/services

#nimsh 3901/tcp # NIM Service Handler

#nimsh 3901/udp # NIM Service Handler

nimsh 39011/tcp # NIM Service Handler

nimsh 39011/udp # NIM Service Handler

We stop and start nimsh on the client and confirm that nimsh is now listening on the new port number, 39011.

nimaix / # stopsrc -s nimsh

0513-044 The nimsh Subsystem was requested to stop.

nimaix / # startsrc -s nimsh

0513-059 The nimsh Subsystem has been started. Subsystem PID is 2883742.

nimaix / # lsof -i tcp:39011

Value of I :77 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

From the NIM master we connect to the NIM client using the nim command.

nimmast / # nim -o lslpp nimaix | head -10

Fileset Level State Description

----------------------------------------------------------------------------

Path: /usr/lib/objrepos

Firefox.base.rte 2.0.0.20 COMMITTED Firefox Web Browser

ICU4C.rte 6.1.4.0 COMMITTED International Components for

Unicode

6.1.4.1 COMMITTED International Components for

Unicode

6.1.6.0 COMMITTED International Components for

Unicode

....

We can confirm that we have connected to the NIM client on port 39011 by looking at the output from lsof and netstat. There is a TCP session established between the master and the client on port 39011.

nimmast / # lsof -i tcp:39011

Value of I :93 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

m_showlog 430080 root 8u IPv4 0xf1000700047693b0 0t5 TCP nimmast:1023->nimaix:nimsh (ESTABLISHED)

nimmast / # netstat -na | grep 39011

tcp4 0 0 172.29.144.167.1023 172.29.152.241.39011 ESTABLISHED

nimaix / # lsof -itcp:39011

Value of I :75 np:0

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nimsh 2293836 root 0u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 1u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 2u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2293836 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

nimsh 2293836 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

nimsh 2883742 root 4u IPv6 0xf1000e0006f85bb0 0t0 TCP *:nimsh (LISTEN)

nimsh 2883742 root 5u IPv6 0xf1000e0004d313b0 0t5 TCP nimaix:nimsh->nimmast:1023 (ESTABLISHED)

If the /etc/services file on either the NIM client or master is incorrect we would see error messages similar to the following:

0042-006 m_lslpp: (From_Master) connect A remote host refused an attempted connect operation.

nconn: connect() failed, errno is 79nimaix: A remote host refused an attempted connect operation.

Would I recommend this approach? No. This is not a good, permanent solution to the problem.

Do I think IBM would support this configuration? No.

Why am I writing about it then? Because it might help someone caught in a bind. You could use this method temporarily until you’ve sorted out your SAP port problem.

WARNING! Let me make this perfectly clear! The procedure that is shown above is NOT SUPPORTED by IBM. If you choose to follow these procedures, DO NOT contact IBM support for help. They will not be able to assist you. They will ask you to change the nimsh port numbers back to the defaults. They will ask you to change your SAP application to use a different port number. YOU HAVE BEEN WARNED!

Tags: nimsh nim chris 3901 gibson aix sap

Comments (8)

Add a Comment

Quarantine this Entry

cggibbo commented Oct 24 2011 Comment Permalink

"craifarr wrote Hi Chris A link may not be much use iunless you have access to the SAP Service Marketpleace or SAP Developer Network. But here is the text from the installation OSS Notes. 'If you use NIM Service Handler (NIMSH), do not use 01 or 02 as SAP system instance number. SAPinst uses the instance number for the internal message server port 39 . The NIM client daemon uses reserved ports 3901 and 3902.' is NIM mandatory to use for AIX management or are the other alternatives? We are looking at going to P7 series and would like some advise around the use of NIM considering we have multiple SAP Systems installed using ports 3901. What are the pro's and con's of using or not using NIM. Regards Craig" Thanks again for your comments Craig. No, NIM is not mandatory. But I think it's essential in environments that runn more than a handful of LPARs. It's advantages are documented thoroughly in the NIM A-Z Redbook, but I may write a new blog post on why I think NIM is an important tool in the Enterprise AIX landscape. I could talk about the alternatives to NIM but to be honest they are antiquated and inefficient....do you feel like running around with physical media....to and from your data centre................... to install AIX and additional software? ;-) Stay tuned and I'll dedicate a post to NIM.

craifarr commented Oct 17 2011 Comment Permalink

Hi Chris A link may not be much use iunless you have access to the SAP Service Marketpleace or SAP Developer Network. But here is the text from the installation OSS Notes. " If you use NIM Service Handler (NIMSH), do not use 01 or 02 as SAP system instance number. SAPinst uses the instance number for the internal message server port 39. The NIM client daemon uses reserved ports 3901 and 3902. " is NIM mandatory to use for AIX management or are the other alternatives? We are looking at going to P7 series and would like some advise around the use of NIM considering we have multiple SAP Systems installed using ports 3901. What are the pro's/con's of using/not using NIM. Regards Craig

jbhelmich commented Aug 18 2011 Comment Permalink

I've always wondered why IBM didn't implement secure communications through the pretty much universal standard ssh instead of nimsh. If it can work through the standard rsh port I don't see why ssh would be that difficult to spin up.

cggibbo commented July 6 2011 Comment Permalink

Hi Craig, Thanks for the comment. Always good to get feedback. It's good to know that SAP does provide a warning. Hopefully people are reading this information and discussing it with their AIX administrator. Can you provide a link to the SAP document that contains this warning? Thanks! rsh is insecure. Most auditors and/or Network Security administrators will ask UNIX admin's to disable the rsh service on a production UNIX system. If security is not a concern for your auditors or security admins, then you can probably get away with it. Although I wouldn't be at all surprised if the rsh option for NIM is removed at some point in the future. nimsh offers secure communications between the NIM master and the NIM client. Cheers. Chris

craifarr commented July 6 2011 Comment Permalink

Hi Chris, SAP does provide a warning in the installation guides in regards to the use of the this port on AIX systems. However this was not the case a couple of years back. In our case we have disabled nimsh accross all the AIX lpars runnign SAP, our unix admins at KAZ barely batted an eye lid on the request. As I am a SAP administrator and not an AIX administrator I was wondering what the consequences of this are and what value nimsh gives the AIX admin?

cggibbo commented June 15 2011 Comment Permalink

Reply from Pablo: "In this case the nimsh was installed first. When they were installing SAP they complained about the port. I found a SAP Installation Manual which had a note about this issue and that was all :D Regards. Pablo."

cggibbo commented June 14 2011 Comment Permalink

Thanks for the comment Pablo. What method did you use to resolve it? Cheers. Chris

ppereira commented June 14 2011 Comment Permalink

Hi Chris!!!!! I ran into this last week, Great explanation!!

Blogs

Chris's AIX Blog

About this blog

Related posts

Revised version of “...

7.1.1-TIV-ITM_SAP-FP...

SAP note 1522993: Of...

Testing AIX Live Upd...

IBM Storage Insights...

Tags

Selected Tags

Related Tags

nimsh and SAP

Send Email Notification

Quarantine this entry

Mark as Duplicate

Comments (8)