AIX and TCB


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Question AIX and TCB

Hi

I have a question with regards to AIX 5.3 & TCB. I have a client that is requesting TCB to be installed in AIX. However it seems that the perception of TCB is that it causes major headaches when it comes to configuring the system in real world environments, such as large scale Oracle database's with multiple legacy clients using various interfaces. I have surfed to the end of the web and back, as well as exhausting all other avenues to find info about TCB. I understand how it works and to install, etc. However I can not find any views or reviews on expected performance overhead, or even comments on whether it is a good tool or not worth all the effort.
Does anybody have personal experience working with TCB in AIX or know of a secret cave out there on the web with info that I have missed?

System to be configured:
migrating P5-570 AIX 5.3 Oracle 9I to P6-595 (I am aware that I will have to re-install or do a preservation install to enable TCB)
AIX NIM client
All LPAR's AIX 5.3 (app limitation, no AIX 6.1)
No VIO
Boot from internal SCSI(customer request, YES I know that is already an issue with TCB being part of rootvg and will effect I/O performance)
All other VG's SAN

I am looking specifically for info with regards to CPU & MEM overhead. I know I have not provided much info into this forum, but I would appreciate any feedback.

Smilie
regards
# 2  
I have little experience with TCB, but found it cumbersome to work with in daily operations. You might be better off using AIXpert.
# 3  
Power AIX and TCB and AIXpert

HI

Thanx for the feedback, really appreciate it. I have done some checking on your recommended AIXpert. It looks good and is part of AIX from what I can see. It's also continued in AIX 6.1, so that's great, although AIX 6.1 now has a revised upgraded version of TCB. Now I just need to convince the client AIXpert a better way to go and find out how to use/config it.

As for TCB on AIX 5.3, the best info I could find was actually in the AIX 4.3 Elements of Security red book
http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
And with speaking to IBM it seems like there is not much support/knowledge of/for TCB. This is understanable as not many systems like to be limited to a feature that would reaquire a re-install to disable. However if security is your top concern then there will be sacrifies.

AIX TCB details
  1. TCB must remain part of rootvg (thus make sure rootvg is on optimal disk for high I/O)
  2. Will only monitor static flat files, no database integration (Although it seems as AIX 6.1 has a feature that might provide some type of database monitoring?)
  3. Monitors files/devices/etc listed in /etc/secuirty/sysck.cfg
  4. Can possible be switched off and on with odm commands?
  5. Performance overhead would relate directly to how many alerts/checks are configured in /etc/security/sysck.cfg and how frequently they are monitored
regards
# 4  
You might want to read this personal account of mine about TCB and the troubles arising when doing an alternate disk migration.

One aspect of having TCB is: alternate disk installation is impossible.

I hope this helps.

bakunin
# 5  
Well, that's not entirely true.

Starting with AIX v5.3 TL6, with APAR IY87344 installed, you can perform migrations of TCB enabled systems if the caching option to nimadm is used. For those that aren't aware, nimadm stands for Network Installation Manager Alternate Disk Migration.

The following redbook has some information on using this tool:

IBM Redbooks | NIM from A to Z in AIX 5L

Cheers.

Last edited by gibbo; 09-19-2008 at 03:25 AM..
# 6  
Power AIX and TCB and NIM

I am a bit confused with regards to this NIM alternate disk install. In the AIX 5L NIM redbook it says:
"Some limitations apply when using the nimadm utility:
1. If the client’s rootvg has TCB turned on, you will need to either disable it (permanently) or perform a conventional migration (for example, using CD or NIM. Refer to 4.4, “Using NIM to perform AIX migrations of the NIM master and clients” on page 153). This limitation exists because TCB needs to access file metadata which is not visible over NFS"
They then go through an example that shows TCB being switch off with odmget, migrated and then enabled again. They specifically state showing an example that "If you try to enable TCB again after the migration you may run into some trouble with files being deactivated which may cause havoc to your running system."
So I think yes you can do an alternate disk install, BUT your alternate install will not have TCB active?

would you agree ?
# 7  
Quote:
Originally Posted by kimyo
So I think yes you can do an alternate disk install, BUT your alternate install will not have TCB active?

would you agree ?
Yes. This is what i meant above: when you go through all the trouble to have TCB enabled during installation you presumably want to retain that feature after the update. But you can only do either a NIM alt-disk-install update and disable TCB permanently or do a conventional update with CDs and retain TCB - these options are, to my knowledge - gibbos information are news to me - mutually exclusive.

I hope this helps.

bakunin
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

8 More Discussions You Might Find Interesting

1. AIX

Samba 3.6 on AIX 7.1 - Windows 10 Access to AIX file shares using Active Directory authentication

I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users. The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (11 Replies)
Discussion started by: linuxsnake
11 Replies

2. AIX

Will it affect my AIX LPAR security, when i set up email alerts on AIX server.

Hello, I've set up email alerts on AIX Servers. so that i can get email notifications (via mail relay server) when ever there is abnormal behavior. for example 1) my script monitors CPU/disk/memory etc... when it reaches high water ark, it will send an email alert. 2) disk usage alerts 3)... (5 Replies)
Discussion started by: System Admin 77
5 Replies

3. AIX

Is it must to enable TCB on AIX LPARs ?

Hi, I've verified my AIX 7.1 LPAR , and TCB is disabled by default. #odmget -q attribute=TCB_STATE PdAt PdAt: uniquetype = "" attribute = "TCB_STATE" deflt = "tcb_disabled" values = "" width = "" type = "" generic = "" ... (3 Replies)
Discussion started by: System Admin 77
3 Replies

4. AIX

Nim on AIX 7.1 used to migrate AIX 5.3 to AIX 6.1...is possible?

Using nimadm: nimadm -j nimadmvg -c sap024 -s spot_6100 -l lpp_6100 -d "hdisk1" -Y Initializing the NIM master. Initializing NIM client sap024. 0505-205 nimadm: The level of bos.alt_disk_install.rte installed in SPOT spot_6100 (6.1.3.4) does not match the NIM master's level (7.1.1.2).... (2 Replies)
Discussion started by: sciacca75
2 Replies

5. AIX

Implementing a TCB-Environment in AIX

Habe folgende Frage an der ich mich schwer tue, Welche Möglichkeiten bietet IBM's Betriebssystem "AIX" hinsichtlich der Ausbildung einer TCB-Umgebung? vielen Dank (6 Replies)
Discussion started by: Invisibleye86
6 Replies

6. AIX

How to upgrade AIX Firmware & TL Maintenance Level in AIX

Steps to upgrade AIX TL ( technology Level ) / Maintenance Level in AIX ( including Firmware HMC VIOS ) This article or post covers upgrades for - Hardware Management Console ( HMC ) - Firmware ( also known as microcode ) - VIO ( Virtual I/O Server = PowerVM ) - AIX Version, Technology... (2 Replies)
Discussion started by: filosophizer
2 Replies

7. AIX

How to apply aix 5.3 TL8 properly on ML5 aix system ?

Is it necessary to put system into single user mode for applying aix 5.3 TL8 on a aix 5.3.5.0 system ? Is the TL8 installation not totally safe ? thank you. (6 Replies)
Discussion started by: astjen
6 Replies

8. AIX

Switch off TCB (Trusted Computing Base)

I wanted to do an "Alternate Disk Migration" via my NIM server to update several clients (all LPARs in a p670) from 5.1 ML6 to 5.2 ML3. As a prerequisite the procedure says "if the system has the Trusted Computing Base enabled it has to be switched off before". Well, i didn't give this too much... (3 Replies)
Discussion started by: bakunin
3 Replies

Featured Tech Videos