AIX

I wanted to do an "Alternate Disk Migration" via my NIM server to update several clients (all LPARs in a p670) from 5.1 ML6 to 5.2 ML3. As a prerequisite the procedure says "if the system has the Trusted Computing Base enabled it has to be switched off before".

Well, i didn't give this too much consideration when planning the migration, surely how to switch it off is somewhere in the OS manual, right?

Or so i thought. After feeling like an idiot for not knowing how to do it and not even be able to find it in the manual i started asking colleagues - no luck. After consulting several Usenet newsgroups (comp.os.unix.aix, etc.) and Unix boards (like www.unix.com) and finding out that the question has been asked two or three times but never been answered I felt less like an idiot - misery loves company.

So at last I gave IBM a call and opened a PMR - and, since i was already running out of time in my service window, i opened a Prio1-call for the first time in my life. I told them what i wanted ("disable TCB, the Trusted Computing Base") and was told i will be called back. The phone rang within ten minutes and the first phonecall went like like this:

IBM Technician (IT) (utterly self-confident): "So, you want to switch off TCP/IP. Fine, go to SMIT..."
Me (ME): "Sorry to interrupt you, but i said quite clearly: I'd like to disable *TCB*, the Trusted Computing Base."
IT (less confident now): "Oh, .... Why?"
ME: "I want to do an Alternate Disk Migration and as a prerequisite the procedure reads 'TCB will have to be disabled', so I want to do exactly that. Alas, the whole OS manual doesn't say anything about how to disable it."
IT (trying to regain some composure): "Well, it can only be switched on during installation...."
ME: "I *know* how to *enable* it, how is it disabled?"
IT: "hmm, Uhmmm, yes, ... I will have to consult the manual."
ME (dryly): "There i have looked already and it doesn't cover the issue."
IT: "Uhm, yes, but we have internal papers...."

Well so far the first call. To be just it has to be said that he called me back half an hour later and sent me an email complete with the procedure and an explanation why it would have to be disabled (NFS can't provide all the information about the files being installed which TCB would need to keep its database. IBM calls the information missing "file metadata").

Further, if you plan to do the same, be warned: disabling TCB means installing/migrating without TCB so you can't reenable it after the migration (why would anyone want to, anyway?).

Ladies and Gentlemen, for the first time in the world, up to now unanswered in public newsgroups, here is the correct way to disable the TCB mentioned so casually in the Alternate Disk Migration procedure:

Code:

odmget -q attribute=TCB_STATE PdAt | sed 's/tcb_enabled/tcb_disabled/' | odmchange -o PdAt -q attribute=TCB_STATE

And, as an added bonus, here is how to enable tcbck after the migration again (of course, without TCB being reenabled, the effect of disabling it is permanent):

Code:

odmget -q attribute=TCB_STATE PdAt | sed 's/tcb_disabled/tcb_enabled/' | odmchange -o PdAt -q attribute=TCB_STATE

Hope this helps.

bakunin

were do you enter the code at to disable it?

that's great, thanks!. i felt like such a rube when i enabled tcb during a test install and couldn't find out how to disable it.

At the commandline. Where else would one enter commands?

bakunin