--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools



Recently Changed Pages:

View All Pages

View All Tags

WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.

Pages with comments

2019/11/18 13:52 1 Comment

View All Comments


AIX 6.1

The purpose is to create a Standard Operating Environment which can be installed through NIM, and offers all functionality as configured on 5.3:

  • All default configuration and setup
    • For example DNS, NTP, filesystems, additional software, etc.
  • Tuning
    • For example limitations, unnecessary software and services, etc.
  • User Environment
    • Profile and homedir configuration
  • Security
    • AIX security
    • LDAP authentication on eDirectory
    • Sudo
    • Syslog

Although the paragraphs will refer to more necessary when necessary the overall document on which this article is based is AIX Post Install. That document was created on AIX 5.3 and gives a lot of background information. This document adds specific information for AIX 6.1, but does not copy the background information which is also valid for AIX 5.3. So, in conclusion, if you need more information the AIX Post Install is your best place to start.


The installation is performed through NIM and the version installed is:


which was released in February 2010. During the install I accepted all default settings.

How to add a client in NIM
How to install a NIM client

Default Configuration

Change Root

  • Change root's password by issuing the command 'passwd' on the commandline after login.
  • Change root's account through smitty by issuing the command 'smitty users' on the commandline:
    • Change / Show Characteristics of a User
      • Select the root user
        • Set root's home directory to /home/root


  • You'll have to create the /home/root directory and set permissions.
  • Because Root's home is initially set to / you might want to copy root's files to it's new home directory.


Setup DNS by editing the 'resolv.conf' configuration file:

# vi /etc/resolv.conf
search company.local


  • The search entry can have up to a maximum of 1024 characater strings for the DomainName variable.
  • The first DomainName variable is interpreted as the default domain name.
  • The DomainName variable is the name of a domain that should be included in the search list.
  • The domain entry and search entry are mutually exclusive. If both entries are used, the one that appears last will override the other.



Setup the timezone through 'smitty':

  • System Environments
    • Change / Show Date, Time, and Time Zone
      • Change Time Zone Using System Defined Values
      • Select your country (NL - Netherlands)
      • Select your time zone name (Europe/Amsterdam - (GMT+01:00/GMT+02:00) Central Europe)
      • Confirm

NTP Config

Setup NTP by editing the 'ntp.conf' configuration file:

# vi /etc/ntp.conf
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace

Set the Time

# ntpdate
 3 Mar 10:02:29 ntpdate[250036]: step time server offset 0.975368 sec
# ntpdate
 3 Mar 10:02:39 ntpdate[250040]: adjust time server offset 0.000045 sec

NTP Service

Configure the NTP service to start automatically through 'smitty xntpd':

  • Start Using the xntpd Subsystem
    • BOTH


To completely setup time and related services correctly reboot since the timezone change requires one.


Add the company NFS share through 'smitty manfs'

  • Network File System (NFS)
    • Network File System (NFS)
      • Add a File System for Mounting
      • Pathname of mount point [/exports/install]
      • Pathname of remote directory [/exports/install]
      • Host where remote directory resides []
      • Mount now, add entry to /etc/filesystems or both? [both]
      • /etc/filesystems entry will mount the directory on system restart. [yes]
      • Mode for this NFS file system [read-only]
      • Transport protocol to use [udp]
      • Allow execution of setuid and setgid programs in this file system? [no]
      • Allow device access via this mount? [no]


There is a new filesystem defined in /etc/filesystems:

        dev             = "/exports/install"
        vfs             = nfs
        nodename        =
        mount           = true
        options         = ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys
        account         = false

This filesystem is already mounted:

# mount
  node       mounted        mounted over    vfs       date        options
-------- ---------------  ---------------  ------ ------------ ---------------
         /dev/hd4         /                jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd2         /usr             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd9var      /var             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd3         /tmp             jfs2   Mar 03 10:13 rw,log=/dev/hd8
         /dev/hd1         /home            jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /dev/hd11admin   /admin           jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /proc            /proc            procfs Mar 03 10:14 rw
         /dev/hd10opt     /opt             jfs2   Mar 03 10:14 rw,log=/dev/hd8
         /dev/livedump    /var/adm/ras/livedump jfs2   Mar 03 10:14 rw,log=/dev/hd8 /exports/install /exports/install nfs3   Mar 03 10:32 ro,bg,hard,intr,proto=udp,nodev,nosuid,sec=sys


When AIX gets installed the filesystem gets a certain amount of space dependent on the size of the disk and what is installed:

# df -m
Filesystem    MB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd4         320.00    154.38   52%    12990    25% /
/dev/hd2        2144.00    355.22   84%    39261    31% /usr
/dev/hd9var      192.00     17.66   91%     6439    57% /var
/dev/hd3          64.00     61.55    4%       24     1% /tmp
/dev/hd1          32.00     31.62    2%       11     1% /home
/dev/hd11admin    128.00    127.63    1%        5     1% /admin
/proc                 -         -    -         -     -  /proc
/dev/hd10opt      96.00     12.57   87%     1886    37% /opt
/dev/livedump    256.00    255.64    1%        4     1% /var/adm/ras/livedump

Change the size of the filesystems using the 'chfs' command:

# chfs -a size=2G /
# chfs -a size=4G /usr
# chfs -a size=1G /var
# chfs -a size=1G /tmp
# chfs -a size=512M /home
# chfs -a size=10G /opt


# df -m
Filesystem    MB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd4        2048.00   1882.11    9%    12990     3% /
/dev/hd2        4096.00   2306.92   44%    39261     7% /usr
/dev/hd9var     1024.00    849.48   18%     6441     4% /var
/dev/hd3        1024.00   1021.37    1%       24     1% /tmp
/dev/hd1         512.00    511.55    1%       11     1% /home
/dev/hd11admin    128.00    127.63    1%        5     1% /admin
/proc                 -         -    -         -     -  /proc
/dev/hd10opt   10240.00  10155.02    1%     1886     1% /opt
/dev/livedump    256.00    255.64    1%        4     1% /var/adm/ras/livedump

Additional Software

Download the latest rpms: IBM AIX Toolbox for Linux Applications Information page
Actual FTP download site
Get SSH and SSL from the AIX installation and expansion DVDs.

Install AIX Software

Install AIX software with 'smitty install_latest':

  • enter dir with software
Installation Summary
Name                        Level           Part        Event       Result
rpm.rte                   USR         APPLY       SUCCESS
rpm.rte                   ROOT        APPLY       SUCCESS
openssl.base            USR         APPLY       SUCCESS
openssl.base            ROOT        APPLY       SUCCESS
openssh.base.client      USR         APPLY       SUCCESS
openssh.base.server      USR         APPLY       SUCCESS
openssh.base.client      ROOT        APPLY       SUCCESS
openssh.base.server      ROOT        APPLY       SUCCESS

Install RPMS

This is a selection of RPMS I like to install on an AIX system:

# rpm -iv *.rpm

SSH and SSL Config

SSH must be configured so X11 forwarding works as well. In a later configuration stage root will be forbidden to logon remotely, but for now that is still allowed. Configuration includes two files: /etc/ssh/sshd_config and /etc/ssh/ssh_config:

bash-3.2# cat /etc/ssh/sshd_config | grep '^[A-z]'
Protocol 2
PermitRootLogin yes
IgnoreRhosts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
TCPKeepAlive yes
XauthLocation /usr/bin/X11/xauth
Banner /etc/secure_banner
Subsystem       sftp    /usr/libexec/sftp-server
bash-3.2# cat /etc/ssh/ssh_config | grep '^[A-z]'
ForwardX11 yes
ConnectTimeout 30
Protocol 2

Restart the ssh daemon:

# /etc/rc.d/rc2.d/Ssshd stop
# /etc/rc.d/rc2.d/Ssshd start

After restarting your session you can issue 'xclock' to see if it's working.

See CygWin - X op Windows to see how to setup your local Windows installation for X11 forwarding.

Note: Don't forget to create and place you secure_banner in /etc.

Oracle Requirements

Oracle has a few requirements when installed on an AIX box, and one of them is not installed by default: bos.adt.libm. The package can be installed using the NIM server:

bash-3.2# lslpp -l bos.adt.libm                                                                                        
lslpp: Fileset bos.adt.libm not installed. 

bash-3.2# nimclient -l -L ms-soe6
lpp_6100_04_03      lpp_source
bash-3.2# nimclient -o allocate -a lpp_source=lpp_6100_04_03
bash-3.2# nimclient -l -c resources ms-soe6
lpp_6100_04_03     lpp_source
bash-3.2# nimclient -o cust -a lpp_source=lpp_6100_04_03 -a filesets=bos.adt.libm

bash-3.2# lslpp -l bos.adt.libm
  Fileset                      Level  State      Description
Path: /usr/lib/objrepos
  bos.adt.libm       APPLIED    Base Application Development
                                                 Math Library

See AIX NIM for more information on how to install software using a NIM server.


AIX Limitations

For system stability reasons AIX has a few limitations which interfere (within our company) with production processes.


By default, the swap space is defined as 512 MB which is a little bit low when oracle, websphere or any other demanding application is running. Set the paging space to 4 GB for better performance:

bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active Auto  Type Chksum
hd6             hdisk0            rootvg         512MB     2   yes   yes    lv     0
bash-3.2# chps -s 112 hd6
bash-3.2# lsps -a
Page Space      Physical Volume   Volume Group    Size %Used Active Auto  Type Chksum
hd6             hdisk0            rootvg        4096MB     1   yes   yes    lv     0

Large Files

By default no one on the system is allowed to work with large files to prevent the filesystems from becoming full too fast, but we need root to work with large files. To do so, adjust the /etc/security/limits and these lines in the root section:

        fsize = -1
        data = -1
        stack = -1


By default, AIX waits 200 ms before sending the TCP acknowledgement. To disable this setting issue:

bash-3.2# no -p -o tcp_nodelayack=1
Setting tcp_nodelayack to 1
Setting tcp_nodelayack to 1 in nextboot file

In AIX Post Install are extended tests regarding AIX performance and more background information.


When running Oracle the memory is better adjusted to meet the demands Oracle can make:

bash-3.2# vmo -p -o minperm%=5 -o maxperm%=90 -o maxclient%=90 -o lru_file_repage=0
Setting minperm% to 5 in nextboot file
Modification to restricted tunable maxperm%, confirmation required yes/no yes
Setting maxperm% to 90 in nextboot file
Modification to restricted tunable maxclient%, confirmation required yes/no yes
Setting maxclient% to 90 in nextboot file
Modification to restricted tunable lru_file_repage, confirmation required yes/no yes
Setting lru_file_repage to 0 in nextboot file
Setting minperm% to 5
Setting maxperm% to 90
Warning: a restricted tunable has been modified
Setting maxclient% to 90
Warning: a restricted tunable has been modified
Setting lru_file_repage to 0
Warning: a restricted tunable has been modified

The default settings are:

vmo -p -o minperm%=20 -o maxperm%=80 -o maxclient%=80 -o lru_file_repage=1

Unnecessary Software

Software that is unnecessary:

  • Alternate Disk Installation:
    • bos.alt_disk_install.boot_images
    • bos.alt_disk_install.rte
  • Cluster Systems Management:
    • csm.client
    • csm.core
    • csm.deploy
    • csm.diagnostics
    • csm.dsh
    • csm.gui.dcem

To remove these packages issue:

installp -u bos.alt_disk_install.boot_images bos.alt_disk_install.rte csm.client csm.core csm.deploy csm.diagnostics csm.dsh csm.gui.dcem

According to KPMG security

  • AIX Security Hardening:
    • bos.aixpert.cmds
    • bos.aixpert.websm
  • Reliable Scalable Cluster Technology (RSCT)
    • rsct.core.gui
    • rsct.core.lprm
    • rsct.core.sensorrm
installp -u bos.aixpert.cmds bos.aixpert.websm rsct.core.gui rsct.core.lprm rsct.core.sensorrm

Unnecessary Services

For more information about the services see the AIX Services Documentation.

Unnecessary Inetd Subservers

Use these commands to turn all subservers off:

chsubserver -d -v ftp -p tcp
chsubserver -d -v telnet -p tcp
chsubserver -d -v shell -p tcp
chsubserver -d -v kshell -p tcp
chsubserver -d -v login -p tcp
chsubserver -d -v klogin -p tcp
chsubserver -d -v exec -p tcp
chsubserver -d -v comsat -p udp
chsubserver -d -v uucp -p tcp
chsubserver -d -v bootps -p udp
chsubserver -d -v finger -p tcp
chsubserver -d -v systat -p tcp
chsubserver -d -v netstat -p tcp
chsubserver -d -v tftp -p udp
chsubserver -d -v talk -p udp
chsubserver -d -v ntalk -p udp
chsubserver -d -v rquotad -p udp
chsubserver -d -v rexd -p tcp
chsubserver -d -v rstatd -p udp
chsubserver -d -v rusersd -p udp
chsubserver -d -v rwalld -p udp
chsubserver -d -v sprayd -p udp
chsubserver -d -v pcnfsd -p udp
chsubserver -d -v echo -p tcp
chsubserver -d -v echo -p udp
chsubserver -d -v discard -p tcp
chsubserver -d -v discard -p udp
chsubserver -d -v chargen -p tcp
chsubserver -d -v chargen -p udp
chsubserver -d -v daytime -p tcp
chsubserver -d -v daytime -p udp
chsubserver -d -v time -p tcp
chsubserver -d -v time -p udp
chsubserver -d -v instsrv -p tcp
chsubserver -d -v xmquery -p udp
chsubserver -d -v imap2 -p tcp
chsubserver -d -v pop3 -p tcp
chsubserver -d -v wsmserver -p tcp 

After disabling all subservers don't forget to refresh the inetd daemon:

refresh -s inetd

Unnecessary Subsystems

Use these commands to stop and disable subsystems that are automatically started by AIX but are not needed:

chrctcp -S -d inetd
chrctcp -S -d snmpd
chrctcp -S -d hostmibd
chrctcp -S -d snmpmibd
chrctcp -S -d aixmibd
chrctcp -S -d writesrv
chrctcp -S -d qdaemon
  • inetd: nternet daemon
  • snmpd: simple network management protocol
  • snmpmibd: extends snmp possibilities
  • hostmibd: extends snmp possibilities
  • aixmibd: extends snmp possibilities
  • writesrv: enables the ability to receive massages from users from a remote system
  • qdaemon: printer queue daemon

Remove Services from Inittab

Inittab starts a few more services which can be removed from inittab using these commands:

rmitab piobe
rmitab writesrv
rmitab qdaemon
rmitab naudio
rmitab naudio2
rmitab xmdaily
rmitab pconsole
  • piobe: spooler backend
  • naudio(2): configures pci audio devices
  • xmdaily: collects data regarding performance information
  • pconsole: system director console (web administration tool)


Since the introduction of AIX 6.1 TL 3 an extra service can be disabled. More information can be found in this pdf (page 16).
To disable this Systems Director Common Agent (which is like a SLP DA) follow these steps:

  • Comment out these line in /etc/inittab:
#platform_agent:2:once:/usr/bin/startsrc -s platform_agent >/dev/null 2>&1
#cimservices:2:once:/usr/bin/startsrc -s cimsys >/dev/null 2>&1
  • Also run these commands:
sudo /opt/ibm/director/agent/runtime/agent/bin/ stop
The LWI Nonstop Profile was not running.
sudo /opt/ibm/director/agent/runtime/nonstop/bin/ -uninstallservice

User Environment


I used AIX Profile to setup the profile for all users.

Home Directory

I used AIX Home Directory to setup the automatic creation of home directories for users.


AIX Security

Intruder Lockout

To prevent brute force account hacking enable intruder lockout. This can be done by editing '/etc/security/login.cfg':

        sak_enabled = false
        logintimes =
        logindisable = 4
        logininterval = 60
        loginreenable = 30
        logindelay = 5

For more information about these settings please check this page.

Valid Shells

Add bash to the list of valid shells, which can be done in the same file, '/etc/security/login.cfg':

         shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/u
         maxlogins = 32767
         logintimeout = 60
         maxroles = 8
         auth_type = STD_AUTH

Default User Settings

Set the default options for new created users to a higher level of security, 'vi /etc/security/user':

        admin = false
        login = false
        su = false
        daemon = true
        rlogin = true
        sugroups =
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 7
        account_locked = false
        loginretries = 3
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 13
        maxexpired = -1
        minalpha = 5
        minother = 3
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =

Root Login

Set, in the same file, that root is allowed to login, 'vi /etc/security/user':

       login = true

Automatic Timeout

Set an automatic timeout for sessions of one hour, 'vi /etc/profile':

# Automatic logout, include in export line if uncommented

Sendmail Privacy

Edit the /etc/ file to minimize the information sendmail shows on connection:

# privacy flags
O PrivacyOptions=goaway

See Sendmail Security Quick Fixes for more information about sendmail security.

Don't forget to restart sendmail afterwards.


LDAP authentication has been setup as described in AIX LDAP authentication on eDirectory.


Sudo security has been setup as described in Sudo.


You now have to make the final changes to the root account. Since you now have sudo rights for LDAP users root should no longer be allowed to login, except in emergencies. So, make sure users are allowed to 'su' to root and that root is only allowed a local login. You can change that in 'smitty users':

  • Change / Show Characteristics of a User
    • Select root
    • Another user can SU TO USER?
      • Set from “false” to “true”.
    • User can LOGIN REMOTELY(rsh,tn,rlogin)?
      • Set from “true” to “false”.

Also, don't forget to change the '/etc/ssh/sshd_config' to make sure root is not allowed to log in over ssh as well:

PermitRootLogin no


Syslog has been setup as described in SYSLOG.


Enter your comment. Wiki syntax is allowed:
E​ X K D E
aix61.txt · Last modified: 2019/11/18 12:21 (external edit)