[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Distributed SMIT 2.2 for AIX: Guide and Reference

Chapter 1. Distributed System Management Interface Tool

The Distributed System Management Interface Tool (DSMIT) adds functionality to the System Management Interface Tool (SMIT) by allowing the SMIT interface to build commands for system management and distribute them to other clients on a network. DSMIT has most of the functionality of the SMIT program, such as fast paths, log files, and flags. The DSMIT facility runs in two interfaces, ASCII (nongraphical) or AIXwindows (graphical).

The DSMIT server runs on AIX 4 and the DSMIT clients support the following operating systems:

Terminology

The following terminology is important in understanding the DSMIT program:

Client or managed machine Specifies the machines that run commands built by the DSMIT server. The clients wait for the server to issue the information on what commands to run.
Server or managing machine Specifies the machines that build and distribute commands for running on client machines.
Working collective Specifies a current list of clients to receive commands built by DSMIT. The working collective is a temporary list and must be reset with each new DSMIT session.
Domain of clients Specifies a permanent group of clients on which DSMIT can run commands. Domains are different from the working collective because they do not need to be reset with each new DSMIT session.
Exclude Excludes members from the working collective, preventing them from receiving commands.
Include Restores excluded members to the working collective, allowing them to receive commands.
Heterogeneous clients Specifies a network in which not all clients have the same operating systems.
Homogeneous network Specifies a network in which all clients have the same operating system. In this case, the operating systems can be AIX, HP, Solaris, or Sun OS.
Intersection Specifies the list of machines that meet all of the selected criteria.
Union Specifies the list of machines that meet any of the selected criteria.
DSMIT configuration file server Specifies the machine that holds the DSMIT security configuration files.

Network Access

The DSMIT program uses networks that support the TCP/IP and UDP/IP communication protocols. DSMIT sends information using sockets.

Network Security

DSMIT security is based on well-established crypto routines and DSMIT specific (modeled after MIT's Kerberos) communication protocols. It provides an ongoing secure DSMIT operation and supports secure modification of the security configuration and updates of passwords and keys.

The DSMIT security characteristics are:

Single Sign-on When single sign-on is enabled, the credentials that allow the DSMIT administrator to run DSMIT are created when the administrator logs into AIX. This is optional. If the DSMIT administrator chooses a DSMIT password different from their AIX password, the DSMIT password must be provided each time their DSMIT credentials have expired.
Authentication Only the user authenticated as the DSMIT administrator can run DSMIT. A root user on the managing system does not have root access to the managed systems unless the root ID is registered as a DSMIT administrator. Communications between the managing and managed systems are authenticated.
Data Integrity DSMIT uses the Message Authentication Code (MAC) to protect against unauthorized changes or substitutions to data transmissions between the managing and managed systems.
Data Confidentiality Passwords, DSMIT commands, and their output are not passed over the network in the clear. To mask data between the managing and managed systems, DSMIT uses the Commercial Data Masking Facility (CMDF) technology.
Audit Logging DSMIT maintains a log of significant events to keep track of the start and end of DSMIT sessions and the identity of the administrator and the managed and managing systems.

Usage

DSMIT runs in both concurrent and sequential modes. Concurrent mode means that the DSMIT server builds a command and routes it to the clients simultaneously. Sequential mode means that the DSMIT server builds a command and routes it to the clients one machine at a time. After you build a command on the server and press the Enter key, a menu appears asking in which mode you wish to run DSMIT.

When you use the concurrent mode to submit commands, ASCII DSMIT displays a spinning-wheel graphic to indicate it is processing the commands.

Files

The following DSMIT files are essential to configuration:

/usr/share/DSMIT/domains Defines the groups of clients that the DSMIT server supports.
/usr/share/DSMIT/dsmitos Defines the operating systems that the DSMIT server supports.
/usr/share/DSMIT/hosts Defines the clients that the DSMIT server supports.
/usr/share/DSMIT/security/v5srvtab Stores the local machine's unique DSMIT principal key. This file is present on each managing and managed system. The default location for this file is /usr/share/DSMIT/security/v5srvtab.
/usr/share/DSMIT/security/admin.cfg Stores the DSMIT administrator's keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.
/usr/share/DSMIT/security/managing.cfg Stores the intermediate keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.
/usr/share/DSMIT/security/managed.cfg Stores the managed machine's DSMIT principal keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.
/usr/share/DSMIT/security/dsmit.ptr Stores the name of the DSMIT configuration file server. This file is present on each managing system. The location for this file is /usr/share/DSMIT/security/dsmit.ptr.

Environment Variables

DSMIT exports the variable SMIT=d, which indicates that DSMIT rather than SMIT is running.

If the environment variable DSMIT_USE_PREV_WC is set, DSMIT saves the current working collective in its current state to the file $HOME/.dsmit_prev_wc. The next time DSMIT is invoked (and the environment variable is still set), DSMIT retrieves the information in $HOME/.dsmit_prev_wc to use as the current working collective.

The $HOME/.dsmit_prev_wc file is overwritten with the current working collective each time DSMIT exits.

The -w and -W flags take precedence over DSMIT_USE_PREV_WC.

Databases

The DSMIT program uses the same Object Data Manager (ODM) databases that SMIT uses. The databases are located in the /usr/lib/objrepos file. If you add any stanzas to the ODM database, DSMIT uses these stanzas to expand its functionality.

Sun-, Solaris-, and HP-specific stanzas are located in the /usr/share/DSMIT/SunOS_4.1.3, /usr/share/DSMIT/Solaris, and /usr/share/DSMIT/HP-UX_9.0 directories, respectively. The system creates these directories when the client software is installed for either Sun, Solaris, or HP clients. The dsmitos file defines the available operating system types. This file is updated with the SMIT ODM database directory name when the DSMIT client software is installed on the DSMIT server system. During installation of the DSMIT server software, the AIX_4 SMIT ODM database directory is linked into the /usr/share/DSMIT directory and is added to the dsmitos file.

If the AIX systems that are being managed are at a different version, release, or level than the managing system, such as the managing system is running AIX Version 4.1.3 and the managed system is running AIX 4.1.2, you will need to copy the SMIT stanzas from the managed system to the managing system. This will help you to avoid problems that may occur due to differences in the operating system levels. For example, if a SMIT task uses a new parameter added to a command in AIX Version 4.1.3, the command will not be understood by previous levels of the operating system. Use the following steps to add support for specific levels of AIX:

  1. On the DSMIT server:
    1. change the current directory to /usr/share/DSMIT:
      cd /usr/share/DSMIT
    2. create a new directory in the /usr/share/DSMIT directory:
      mkdir NewLevelDirectory
      Note: NewLevelDirectory is a specific level of AIX, such as AIX Version 3.2.5.
    3. use the echo command to write the name of the new directory to the dsmitos file:
      echo "NewLevelDirectory" >> dsmitos
    4. change the current directory to the new directory:
      cd NewLevelDirectory
  2. Copy an existing SMIT database from the client or an AIX host of the desired level to the server:
    rcp root@client:/usr/lib/objrepos/sm* .
  3. Verify that DSMIT client codeis installed on the client. Use SMIT to list the installed software on the client.
    Note: You must install the DSMIT 2.2 client code. The client code from previous versions of DSMIT does not contain the security enhancements that allow it to interoperate with DSMIT Version 2.2.
  4. On the server, merge the domain management and working collective dialogs with the SMIT database copied from the client. Temporarily set your ODM path (the directory to access when you run your ODM commands) and add required DSMIT dialogs:
    ODMDIR=. /usr/bin/odmadd /usr/share/DSMIT/add_files/*.add

This is important if the commands being executed has changed between levels of operating system. For example, the AIX 4.1.3 version of installp will not run on AIX 4.1.1 due to syntax changes in the flags. So it is important that the correct SMIT database that is being used on a managing machine corresponds to the correct level of operating system of the managed machine.

Related Information

Installing DSMIT.

Security Configuration for DSMIT

Modifying DSMIT Security Configuration

Establishing a Single Sign-on

Starting and Stopping DSMIT.

Using the Interface.

Defining Clients, Defining the Working Collective, Saving the Current Working Collective as a Domain.

Creating a Domain, Changing a Domain, Removing a Domain.

DSMIT Troubleshooting.

Examples of Commands Built with DSMIT.

The chdsmitd command, dsmit command, lsdsmitd command, lsdsmitm command, mkdsmitd command, rmdsmitd command.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]