Sample

HP-UX System and Network
Administration I
H3064S J.00
Student guide
1 of 3
Use of this material to deliver training without prior written permission from HP
is prohibited.Use of this material to deliver training without prior written
permission from HP is prohibited.
HP-UX System and Network
Administration I
H3064S J.00
Student guide
1 of 3� Copyright 2010 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice. The only
warranties for
HP products and services are set forth in the express warranty statements
accompanying such
products and services. Nothing herein should be construed as constituting an
additional
warranty. HP shall not be liable for technical or editorial errors or omissions
contained herein.
This is an HP copyrighted work that may not be reproduced without the written
permission of
HP. You may not use these materials to deliver training to any person outside of
your
organization without the written permission of HP.
UNIX� is a registered trademark of The Open Group.
X/Open� is a registered trademark, and the X device is a trademark of X/Open
Company
Ltd. in the UK and other countries.
Export Compliance Agreement
Export Requirements. You may not export or re-export products subject to this
agreement in
violation of any applicable laws or regulations.
Without limiting the generality of the foregoing, products subject to this
agreement may not be
exported, re-exported, otherwise transferred to or within (or to a national or
resident of)
countries under U.S. economic embargo and/or sanction including the following
countries:
Cuba, Iran, North Korea, Sudan and Syria.
This list is subject to change.
In addition, products subject to this agreement may not be exported, re-exported,
or otherwise
transferred to persons or entities listed on the U.S. Department of Commerce Denied
Persons
List; U.S. Department of Commerce Entity List (15 CFR 744, Supplement 4); U.S.
Treasury
Department Designated/Blocked Nationals exclusion list; or U.S. State Department
Debarred
Parties List; or to parties directly or indirectly involved in the development or
production of
nuclear, chemical, or biological weapons, missiles, rocket systems, or unmanned air
vehicles
as specified in the U.S. Export Administration Regulations (15 CFR 744); or to
parties directly
or indirectly involved in the financing, commission or support of terrorist
activities.
By accepting this agreement you confirm that you are not located in (or a national
or resident
of) any country under U.S. embargo or sanction; not identified on any U.S.
Department of
Commerce Denied Persons List, Entity List, US State Department Debarred Parties
List or
Treasury Department Designated Nationals exclusion list; not directly or indirectly
involved in
the development or production of nuclear, chemical, biological weapons, missiles,
rocket
systems, or unmanned air vehicles as specified in the U.S. Export Administration
Regulations
(15 CFR 744), and not directly or indirectly involved in the financing, commission
or support
of terrorist activities.
Printed in the US
HP-UX System and Network Administration I
Student guide (1 of 3)
September 2010http://education.hp.com H3064S I.00
� 2009 Hewlett-Packard Development Company, L.P.
i
Contents
Module 1 ? Course Overview
1�1. SLIDE: Course
Audience ..........................................................................
............................ 1-2
1�2. SLIDE: Course
Agenda.............................................................................
............................. 1-3
1�3. SLIDE: HP-UX
Versions ..........................................................................
.............................. 1-4
1�4. SLIDE: HP-UX System Administration
Resources ............................................................ 1-6
Module 2 � Navigating SAM and the SMH
2�1. SLIDE: SAM and SMH
Overview ..........................................................................
............... 2-2
2�2. SLIDE: Launching the SMH
TUI ...............................................................................
........... 2-5
2�3. SLIDE: Launching the SMH GUI via
Autostart .................................................................. 2-7
2�4. SLIDE: Launching the SMH GUI via Start-on-
Boot ........................................................... 2-9
2�5. SLIDE: Verifying the SMH
Certificate........................................................................
....... 2-11
2�6. SLIDE: Logging into the
SMH................................................................................
............. 2-13
2�7. SLIDE: SMH Menus and
Tabs ..............................................................................
.............. 2-14
2�8. SLIDE: SMH->Home (1 of
2) ................................................................................
.............. 2-16
2�9. SLIDE: SMH->Home (2 of
2) ................................................................................
.............. 2-18
2�10. SLIDE: SMH->Tools (1 of
4).................................................................................
............ 2-19
4).................................................................................
............ 2-20
4).................................................................................
............ 2-21
4).................................................................................
............ 2-22
2�14. SLIDE: SMH-
>Settings .........................................................................
............................. 2-24
2�15. SLIDE: SMH-
>Tasks.............................................................................
............................. 2-26
2�16. SLIDE: SMH-
>Logs..............................................................................
.............................. 2-27
2�17. SLIDE: SMH Group Access
Control ...........................................................................
..... 2-29
2�18. SLIDE: SMH
Authentication.....................................................................
........................ 2-32
2�19. SLIDE: SMH and SIM Integration
Possibilities .............................................................. 2-34
2�20. SLIDE: For Further
Study..............................................................................
................... 2-36
2�21. LAB: Configuring and Using the System Management
Homepage.............................. 2-37
2�22. LAB SOLUTIONS: Configuring and Using the System Management Homepage....... 2-
43
Module 3 ? Managing Users and Groups
3�1. SLIDE: User and Group
Concepts...........................................................................
............ 3-2
3�2. SLIDE: What Defines a User
Account? ..........................................................................
..... 3-4
3�3. SLIDE: The /etc/passwd
File ..............................................................................
............ 3-5
3�4. SLIDE: The /etc/shadow
File ..............................................................................
............ 3-9
3�5. SLIDE: The /etc/group
File...............................................................................
............ 3-14
3�6. SLIDE: Creating User
Accounts...........................................................................
.............. 3-17
3�7. SLIDE: Modifying User
Accounts...........................................................................
........... 3-21
3�8. SLIDE: Deactivating User
Accounts...........................................................................
....... 3-24
3�9. SLIDE: Removing User
Accounts...........................................................................
........... 3-26
3�10. SLIDE: Configuring Password
Aging .............................................................................
. 3-28
3�11. SLIDE: Configuring Password
Policies...........................................................................
3-31
3�12. SLIDE: Managing
Groups ............................................................................
..................... 3-33
3�13. SLIDE: Managing
/etc/skel..........................................................................
............... 3-36
3�14. LAB: Managing User
Accounts ..........................................................................
.............. 3-40
3�15. LAB SOLUTIONS: Managing User
Accounts.................................................................. 3-
46Contents
H3064S I.00 http://education.hp.com
ii
Module 4 ? Navigating the HP-UX File System
4�1. SLIDE: Introducing the File System
Paradigm...................................................................4-2
4�2. SLIDE: System
Directories .......................................................................
............................4-4
4�3. SLIDE: Application
Directories........................................................................
....................4-8
4�4. SLIDE: Commands to Help You
Navigate...........................................................................
4-9
4�5. LAB: HP-UX File System
Hierarchy..........................................................................
.........4-11
4�6. LAB SOLUTIONS: HP-UX File System
Hierarchy............................................................4-13
Module 5 � Configuring Hardware
5�1. SLIDE: Hardware
Components ........................................................................
....................5-2
5�2. SLIDE:
CPUs...............................................................................
............................................5-3
5�3. SLIDE: Cell Boards, Blades, Crossbars, and Blade
Links .................................................5-7
5�4. SLIDE: SBAs, LBAs, and PCI Expansion
Buses ...............................................................5-10
5�5. SLIDE: iLO / MP
Cards .............................................................................
...........................5-13
5�6. SLIDE: Core I/O
Cards..............................................................................
...........................5-15
5�7. SLIDE: Internal Disks, Tapes, and
DVDs ..........................................................................5-17
5�8. SLIDE: Interface Adapter
Cards..............................................................................
...........5-18
5�9. SLIDE: Disk Arrays and
LUNs...............................................................................
.............5-20
5�10. SLIDE: SANs and
Multipathing ......................................................................
..................5-23
5�11. SLIDE: Partitioning
Overview ..........................................................................
................5-25
5�12. SLIDE: nPar, vPar, VM, and Secure Resource Partition
Overview ..............................5-26
5�13. SLIDE: Part 2: System
Types .............................................................................
...............5-29
5�14. SLIDE: Integrity Server
Overview...........................................................................
.........5-30
5�15. SLIDE: Entry-Class Rackmount Server
Overview .........................................................5-33
5�16. SLIDE: Entry-Class Rackmount Server Example: HP Integrity rx2660
(front)..........5-35
5�17. SLIDE: Entry-Class Rackmount Server Example: HP Integrity rx2660
(rear) ...........5-36
5�18. SLIDE: Mid-Range Cell-Based Server
Overview ............................................................5-37
5�19. SLIDE: Mid-Range Cell-Based Server Example: HP Integrity rx8640
(front) .............5-38
5�20. SLIDE: Mid-Range Cell-Based Server Example: HP Integrity rx8640
(rear)...............5-39
5�21. SLIDE: High-End Cell-Based Server
Overview...............................................................5-40
5�22. SLIDE: High-End Cell-Based Server Example: HP Integrity Superdome
(front).......5-41
5�23. SLIDE: High-End Cell-Based Server Example: HP Integrity Superdome
(rear).........5-43
5�24. SLIDE: HP BladeSystem
Overview ..........................................................................
........5-44
5�25. SLIDE: HP BladeSystem Enclosure
Overview ...............................................................5-47
5�26. SLIDE: HP BladeSystem Enclosure Example: HP BladeSystem c7000 Enclosure....5-
49
5�27. SLIDE: HP Integrity Blade Server Model
Overview.......................................................5-50
5�28. SLIDE: HP Integrity Server Blade Example: HP Integrity BL890c
i2...........................5-51
5�29. SLIDE: HP Integrity Superdome 2
Overview..................................................................5-54
5�30. SLIDE: HP Integrity Superdome 2 Example: HP Integrity Superdome
2....................5-55
5�31. SLIDE: Viewing the System
Configuration .....................................................................
5-57
5�32. SLIDE: Viewing nPar, vPar, and VM
Hardware ..............................................................5-60
5�33. SLIDE: Part 3: HP-UX Hardware
Addressing..................................................................5-61
5�34. SLIDE: Hardware
Addresses .........................................................................
...................5-62
5�35. SLIDE: Legacy vs. Agile View Hardware
Addresses......................................................5-63
5�36. SLIDE: Legacy HBA Hardware
Addresses ......................................................................5-
66
5�37. SLIDE: Legacy Parallel SCSI Hardware
Addresses .......................................................5-68
5�38. SLIDE: Legacy FC Hardware Addresses (1 of
2)............................................................5-70
5�39. SLIDE: Legacy FC Hardware Addresses (2 of
2)............................................................5-72
5�40. SLIDE: Viewing Legacy HP-UX Hardware
Addresses ...................................................5-73
5�41. SLIDE: Agile View HBA Hardware
Addresses................................................................5-77
5�42. SLIDE: Agile View Parallel SCSI Hardware
Addresses .................................................5-79
5�43. SLIDE: Agile View FC Lunpath Hardware Addresses (1 of
2).....................................5-81Contents
http://education.hp.com H3064S I.00
iii
5�44. SLIDE: Agile View FC Lunpath Hardware Addresses (2 of
2) .................................... 5-83
5�45. SLIDE: Agile View FC LUN Hardware Path
Addresses ................................................ 5-84
5�46. SLIDE: Viewing LUN Hardware Paths via Agile
View................................................... 5-86
5�47. SLIDE: Viewing LUNs and their lunpaths via Agile
View ............................................. 5-88
5�48. SLIDE: Viewing HBAs and their lunpaths via Agile
View............................................. 5-90
5�49. SLIDE: Viewing LUN Health via Agile
View ................................................................... 5-92
5�50. SLIDE: Viewing LUN Attributes via Agile
View ............................................................. 5-94
5�51. SLIDE: Enabling and Disabling lunpaths via Agile
View .............................................. 5-96
5�52. SLIDE: Part 4: Slot
Addressing ........................................................................
................ 5-98
5�53. SLIDE: Slot Address
Overview ..........................................................................
.............. 5-99
5�54. SLIDE: Slot Address
Components.........................................................................
........ 5-100
5�55. SLIDE: Viewing Slot
Addresses .........................................................................
............ 5-102
5�56. SLIDE: Part 6: Managing Cards and
Devices................................................................ 5-104
5�57. SLIDE: Installing Interface Cards w/out OL* (11i v1, v2,
v3) ..................................... 5-105
5�58. SLIDE: Installing Interface Cards with OL* (11i
v1) ................................................... 5-107
5�59. SLIDE: Installing Interface Cards with OL* (11i v2,
v3) ............................................. 5-110
5�60. SLIDE: Installing New Devices (11i v1, v2,
v3) ............................................................ 5-114
5�61. LAB: Exploring the System
Hardware ..........................................................................
5-116
5�62. LAB SOLUTIONS: Exploring the System
Hardware ................................................... 5-125
Module 6 ? Configuring Device Files
6�1. SLIDE: Device Special File
Overview ..........................................................................
....... 6-2
6�2. SLIDE: DSF
Attributes ........................................................................
.................................. 6-4
6�3. SLIDE: DSF Types: Legacy vs.
Persistent.........................................................................
.. 6-7
6�4. SLIDE: DSF
Directories .......................................................................
................................. 6-9
6�5. SLIDE: Legacy DSF
Names .............................................................................
................... 6-10
6�6. SLIDE: Persistent DSF
Names .............................................................................
.............. 6-14
6�7. SLIDE: LUN, Disk, and DVD DSF
Names ......................................................................... 6-
16
6�8. SLIDE: Boot Disk DSF
Names .............................................................................
.............. 6-17
6�9. SLIDE: Tape Drive DSF
Names .............................................................................
............ 6-19
6�10. SLIDE: Tape Autochanger DSF
Names........................................................................... 6-
22
6�11. SLIDE: Terminal, Modem, and Printer DSF
Names ...................................................... 6-24
6�12. SLIDE: Listing Legacy
DSFs...............................................................................
.............. 6-27
6�13. SLIDE: Listing Persistent
DSFs...............................................................................
......... 6-29
6�14. SLIDE: Correlating Persistent DSFs with LUNs and
lunpaths..................................... 6-31
6�15. SLIDE: Correlating Persistent DSFs with
WWIDs......................................................... 6-33
6�16. SLIDE: Correlating Persistent DSFs with Legacy
DSFs ............................................... 6-35
6�17. SLIDE: Decoding Persistent and Legacy DSF
Attributes ............................................. 6-37
6�18. SLIDE: Managing Device
Files..............................................................................
........... 6-40
6�19. SLIDE: Creating DSFs via
insf ..............................................................................
........ 6-42
6�20. SLIDE: Creating DFSs via
mksf ..............................................................................
........ 6-44
6�21. SLIDE: Creating DSFs via
mknod..............................................................................
...... 6-46
6�22. SLIDE: Removing DSFs via
rmsf...............................................................................
..... 6-48
6�23. SLIDE: Disabling and Enabling Legacy Mode
DSFs...................................................... 6-50
6�24. LAB: Configuring Device
Files..............................................................................
........... 6-51
6�25. LAB SOLUTIONS: Configuring Device
Files.................................................................. 6-56
Module 7 ? Managing Disk Devices
7�1. SLIDE: Disk Partitioning
Concepts ..........................................................................
........... 7-2
7�2. SLIDE: Whole Disk Partitioning
Concepts .........................................................................
7-4
7�3. SLIDE: Logical Volume Manager
Concepts........................................................................ 7-
6Contents
H3064S I.00 http://education.hp.com
iv
7�4. SLIDE: LVM Physical Volume
Concepts ..........................................................................
...7-8
7�5. SLIDE: LVM Volume Group
Concepts...........................................................................
....7-10
7�6. SLIDE: LVM Logical Volume
Concepts ..........................................................................
...7-12
7�7. SLIDE: LVM Extent
Concepts ..........................................................................
..................7-14
7�8. SLIDE: LVM Extent Size
Concepts ..........................................................................
..........7-16
7�9. SLIDE: LVM Volume Group Versions and
Limits.............................................................7-18
7�10. SLIDE: LVM DSF
Directories........................................................................
....................7-21
7�11. SLIDE: LVMv1 Volume Group and Logical Volume
DSFs.............................................7-23
7�12. SLIDE: LVMv2 Volume Group and Logical Volume
DSFs.............................................7-25
7�13. SLIDE: Creating Physical
Volumes ...........................................................................
.......7-26
7�14. SLIDE: Creating LVMv1 Volume
Groups.........................................................................7-29
7�15. SLIDE: Creating LVMv2 Volume
Groups.........................................................................7-33
7�16. SLIDE: Creating Logical
Volumes ...........................................................................
.........7-35
7�17. SLIDE: Verifying the
Configuration .....................................................................
............7-37
7�18. SLIDE: Disk Space Management Tool
Comparison.......................................................7-42
7�19. LAB: Configuring Disk
Devices ...........................................................................
.............7-46
7�20. LAB SOLUTIONS: Configuring Disk
Devices .................................................................7-57
Module 8 ? Managing File Systems
8�1. SLIDE: File System
Overview...........................................................................
....................8-2
8�2. SLIDE: File System
Types..............................................................................
.......................8-4
8�3. SLIDE: Part 1: File System
Concepts...........................................................................
........8-8
8�4. SLIDE: Superblock
Concepts ..........................................................................
.....................8-9
8�5. SLIDE: Inode
Concepts ..........................................................................
.............................8-11
8�6. SLIDE: Directory
Concepts...........................................................................
......................8-13
8�7. SLIDE: Block and Extent
Concepts...........................................................................
........8-14
8�8. SLIDE: Hard Link
Concepts...........................................................................
.....................8-16
8�9. SLIDE: Symbolic Link
Concepts ..........................................................................
..............8-18
8�10. SLIDE: Intent Log
Concepts ..........................................................................
...................8-20
8�11. SLIDE: HFS / VxFS
Comparison ........................................................................
..............8-22
8�12. SLIDE: Part 2: Creating and Mounting File
Systems .....................................................8-27
8�13. SLIDE: Overview: Creating and Mounting a File
System..............................................8-28
8�14. SLIDE: Creating a File
System ............................................................................
.............8-30
8�15. SLIDE: Mounting a File
System.............................................................................
...........8-33
8�16. SLIDE: Unmounting a File
System.............................................................................
......8-37
8�17. SLIDE: Automatically Mounting File
Systems................................................................8-39
8�18. SLIDE: Mounting CDFS File
Systems............................................................................
..8-41
8�19. SLIDE: Mounting ISO
Files .............................................................................
..................8-44
8�20. SLIDE: Mounting LOFS File
Systems ...........................................................................
...8-46
8�21. SLIDE: Mounting MemFS File
Systems...........................................................................8
-48
8�22. LAB: Creating and Mounting File
Systems .....................................................................8-50
8�23. LAB SOLUTIONS: Creating and Mounting File
Systems...............................................8-63http://education.hp.com
H3064S J.00
1-1
Module 1 ? Course Overview
Objectives
Upon completion of this module, you will be able to do the following:
� Describe the target audience for this course.
� List the topics covered in this course.
� List the currently supported HP-UX operating system versions.
� List some common reference sources used by HP-UX system administrators.
� Determine a system�s current OS version.Module 1
Course Overview
H3064S J.00 http://education.hp.com
1-2
1�1. SLIDE: Course Audience
Student Notes
This fast-paced 5-day course is the first of two courses HP offers to prepare new
UNIX
administrators to successfully manage an HP-UX server or workstation.
The course assumes that the student has experience with general UNIX user commands.
Course Audience
This fast-paced 5-day course is the first of two courses HP offers to prepare
new UNIX administrators to successfully manage an HP-UX server or
workstation.
The course assumes that the student has experience with general UNIX user
commands.Module 1
Course Overview
http://education.hp.com H3064S J.00
1-3
1�2. SLIDE: Course Agenda
Student Notes
HP-UX System Administrators often serve a number of roles � from configuring
peripherals,
to managing user accounts, to installing software and patches. Over the span of
five days,
this course covers the core skills required by all HP-UX system administrators.
HP recommends that students attend the follow-on to this course, HP-UX System and
Network Administration 2 (H3065S), to complete the course sequence for new HP-UX
administrators.
HP Education also offers courses covering numerous advanced HP-UX system and
network
administration topics. See our website, http://www.hp.com/education for more
information.
Course Agenda
Course Overview
Navigating the SMH
Managing Users and Groups
Navigating the HP-UX File System
Managing Hardware
Managing Device Files
Managing Disk Devices
Managing File Systems
Managing Swap Space
Maintaining Disks and File Systems
Preparing for Disasters
Accessing the System Console
Booting PA-RISC Systems
Booting Integrity Systems
Configuring the Kernel
Managing Software with SD-UX
Managing Patches with SD-UX
Installing the OS with Ignite-UX
Course ReviewModule 1
Course Overview
1-4
1�3. SLIDE: HP-UX Versions
Student Notes
Since HP-UX 11i was first released for PA-RISC in 2000, HP has released a number of
versions of the operating system for the Integrity product line. The table on the
slide lists the
release identifier (as reported by HP-UX commands), release name (as used in the
HP-UX
documentation), and supported platform for each release of HP-UX 11i. HP
distributes
updated media kits with new patches and minor software updates approximately every
six
months. The four digits following �11i v1v2/v3� indicate each release�s release
year and
month.
Use the uname -r command to determine which HPUX version your system is currently
running:
# uname -r
B.11.31
HP-UX Versions
� HP currently supports several HP-UX 11i versions
� Slides and notes in this course cover all three current versions
� Labs will be completed on 11i v3
Release
Identifier
Release
Name
Supports PARISC Supports Integrity
Servers Workstations Servers Workstations
11.11 11i v1 yes yes no no
11.23.yymm* 11i v2 yes no yes no
11.31.yymm* 11i v3 yes no yes no
* Updated 11i v2/v3 media kits continue to be released every ~six monthsModule 1
Course Overview
1-5
To determine which media kit your system was installed from, use swlist to check
the
version# on the QPKBASE patch bundle.
# swlist -l bundle QPKBASE
# Initializing...
# Contacting target "rx26u221"...
#
# Target: myhost:/
#
QPKBASE B.11.31.0903.334a Base Quality Pack Bundle for HP-UX 11i
v3, March 2009
The slides and notes in this course cover all three currently supported versions of
the
operating system: 11i v1, v2, and v3. The lab exercises require 11i v3.
To determine end of support dates for each current HP-UX version, see HP�s support
roadmap online at http://www.hp.com/go/hpuxservermatrix.Module 1
Course Overview
1-6
1�4. SLIDE: HP-UX System Administration Resources
Student Notes
Beyond this course, there is a wealth of resources available to assist new HP-UX
system
administrators.
http://www.hp.com HP�s corporate/product website describes all of
HP�s current hardware, software, and service
offerings.
http://itrc.hp.com HP�s IT Resource Center provides a wealth of
cookbooks, white papers, FAQ lists, patches, user
forums, and an online response center that you can
use to research HP-UX features and problems. The
ITRC user forums are particularly helpful. Portions
of the ITRC content are only available to customers
with support contracts.
HP-UX System Administration Resources
HP�s product website:
http://www.hp.com/
HP�s IT Resource Center:
http://itrc.hp.com/
HP�s documentation website:
http://docs.hp.com/
HP�s software download website:
http://software.hp.com/
HP Education Services:
http://www.hp.com/education
In addition to the traditional UNIX
man pages, HP provides a number
of resources that you can use to
learn more about your HP-UX
system.Module 1
Course Overview
1-7
http://docs.hp.com HP�s documentation website provides an online,
searchable library containing all of HP�s HP-UX
manuals. If your site doesn�t have Internet access,
the Instant Information DVD included in the HP-UX
media kit provides DVD-based access to the same
documents.
The HP-UX System Administrator�s Guide,
volumes 1-5, provides particularly useful
information for new HP-UX 11i v3 system
administrators.
The equivalent HP-UX 11i v1 and v2 manual is titled
Managing Systems and Workgroups: A Guide for
HP-UX System Administrators.
http://software.hp.com/ Visit HP�s software download website to download
and purchase HP-UX software products and
updates.
http://www.hp.com/education HP Education Services offers a wide variety of
courses on HP-UX and other HP products. Visit our
website regularly to stay abreast of the latest course
offerings.Module 1
Course Overview
1-8http://education.hp.com H3064S J.00
2-1
Module 2 � Navigating the SMH
Objectives
� Describe the purpose and features of SAM and the SMH.
� Launch the SMH GUI and TUI interfaces.
� Enable SMH autostart functionality.
� View hardware status information via the SMH.
� Launch SMH tools.
� Create custom SMH tools.
� Execute SMH tasks.
� View log files via the SMH.
� Configure SMH group access rights.
� Configure SMH authentication.
� Describe SMH/SIM integration possibilities.Module 2
Navigating the SMH
2-2
2�1. SLIDE: SAM and SMH Overview
Student Notes
New HP-UX System Administrators often find that the HP�s System Administration
Manager
(SAM) and the System Management Homepage (SMH) interfaces simplify many
administration tasks.
Both tools provide intuitive, menu-based interfaces for adding users, configuring
the kernel,
configuring network interface cards, and other common administration tasks. Both
also
include informative help screens, and automatic error-checking.
Like many menu-based interfaces, though, both SAM and SMH often provide less
flexibility
than command line utilities.
The notes below describe the features of both tools. The remainder of this module
focuses
on the SMH. An appendix at the end of the course discusses SAM in a bit more
detail.
SAM and SMH Overview
� SAM provides an intuitive, menu-based administration interface in 11i v1 and v2
� SMH provides an intuitive, menu-based administration interface in 11i v3
� Both tools simplify complex administration tasks and minimize errors
� Both tools are sometimes less flexible than the command-line interface
Feature SAM SMH
HP-UX versions support 11i v1, v2 11i v1*, v2*, v3
Intuitive Terminal User Interface (TUI) Yes Yes, in 11i v3 only
Intuitive Graphical User Interface (GUI) X-based Web-based
Configurable to provide access to non-root users Yes Yes
Built-in help facility Yes Yes
Customizable and extensible Yes Yes
Uses standard HP-UX commands to perform tasks No Yes
Integrates with HP Systems Insight Manager (SIM) No Yes
Windows, Linux support No YesModule 2
Navigating the SMH
2-3
HP-UX versions supported
SAM is the primary menu-based administration tool for 11i v1 and v2. The SMH is
available
for these older versions of the operating system, but with limited functionality.
SMH replaces SAM entirely in 11i v3. The /usr/sbin/sam command is still available
in 11i
v3, but launches the SMH rather than SAM. The latest version of the SMH for all
versions of
HP-UX may be downloaded from http://software.hp.com.
Intuitive Terminal User Interface (TUI)
SAM provides an intuitive Terminal User Interface (TUI) that may be accessed in any
80x24
terminal or terminal emulator window. The TUI interface relies on standard keyboard
keys
rather than a mouse to navigate the SAM menus.
In 11i v3, the SMH provides a TUI interface, too.
Intuitive Graphical User Interface (GUI)
SAM and the SMH both provide an intuitive graphical user interface. Administrators
use a
mouse and keyboard to navigate the administration menus.
SAM�s GUI requires X-windows. The SMH uses a more flexible, SSL-protected, web-
based
GUI interface that may be accessed from any Internet Explorer or Firefox web
browser.
Accessing the system via a web interface provides much greater flexibility for
administrators
who manage systems remotely.
Configurable to provide access to non-root users
By default, only users with root privileges can access SAM and the SMH. However,
administrators can grant full or restricted access to other users and operators who
help
manage the system, too. This makes it possible to provide root-like privileges
without
sharing the root password.
Built-in help facility
SAM and the SMH both provide extensive online help.
Customizable and extensible
Administrators can add custom tools to the SAM and SMH interfaces. For instance, an
administrator might add a custom tool to launch database daemons directly from the
SAM/SMH interface.
Uses standard HP-UX commands to perform tasks
The SMH relies primarily on standard HP-UX commands. Administrators can review
commands in the SMH log file and can use those commands in scripts.
SAM uses HP-UX commands and backend scripts and executables to complete
administration tasks. Administrators can review the commands in the
/var/sam/log/samlog file, but many of the commands called from the SAM interface
cannot be executed outside of SAM.Module 2
Navigating the SMH
2-4
Integrates with HP Systems Insight Manager (SIM)
HP Systems Insight Manager (SIM) provides an intuitive web interface for managing
multiple
of HP servers, blades, network, and storage devices. When SIM reports a problem
with a
server, a few mouse clicks automatically launch the server�s SMH page so the
administrator
can research the cause of the problem or execute an SMH tool to resolve the issue.
SAM is not integrated with SIM.
Windows, Linux support
Though this course focuses on using SMH to manage HPUX, the product is also
available for
customers running Microsoft Windows or Linux on any HP Proliant or Integrity
servers. The
SMH tools vary somewhat, but the SMH interface, architecture, and look and feel is
consistent across platforms and operating systems.
SAM is only available on HP-UX.Module 2
Navigating the SMH
2-5
2�2. SLIDE: Launching the SMH TUI
Student Notes
SMH is included on the operating environment DVDs for HP-UX 11i v1 (since September
2005), 11i v2 (since May 2005), and 11i v3 (all media kits). You can also download
the
product from http://software.hp.com.
Not all SMH features are available on all HP-UX versions. New media kits often
introduce
new SMH functionality. Use the swlist command to determine your system�s SMH
version.
# swlist SysMgmtWeb
SMH has several additional dependencies, all of which are included in the 11i v2
and 11i v3
operating environments. On 11i v1, HP also recommends installing the KRNG11i patch
bundle from http://software.hp.com for improved security.
The SMH offers a web interface in all HP-UX versions, and, in 11i v3, a TUI
interface as well.
To launch the TUI interface, log into the target system as user root using any
24x80 terminal
emulator, and run smh.
Launching the SMH TUI
� The SMH offers a web interface and, in 11i v3, a TUI interface
� Use smh to launch the TUI interface
� Use the arrow keys and shortcuts listed at the bottom of each screen to navigate
the TUI
SMH->Accounts for Users and Groups->Local Users
----------------------------------------------------------------
Login Name User ID Primary Group Real Name Last Login
================================================================
user1 301 class student NEVER
user2 302 class student Mon Jun 11 12:56:10
user3 303 class student NEVER
user4 304 class student Thu Jun 14 10:23:20
<-------------------------------------------------------------->
x-Exit smh ESC-Back 1-Help m-Modify User
ENTER-Details /-Search a-Add User Ctrl o-Other Actions16
# smh
NOTE: this screenshot has been formatted and truncated to fit the slideModule 2
Navigating the SMH
2-6
Use the [Tab] key to jump back and forth between the menu bar and the other regions
on
the screen, and the arrow keys to scroll up and down and left and right. Look for
keyboard
shortcuts at the bottom of the screen.Module 2
Navigating the SMH
2-7
2�3. SLIDE: Launching the SMH GUI via Autostart
Student Notes
HP-UX provides the SMH web interface via a dedicated Apache web server daemon.
There
are two common techniques for launching this daemon. By default, SMH is configured
to run
in �autostart� mode, as described below. The next slide describes �start on boot�
mode.
� During the system boot process, the /sbin/init.d/hpsmh startup script launches a
lightweight smhstartd daemon during the boot process. smhstartd runs continuously
until system shutdown, listening for incoming connection requests from clients.
� Users connect to smhstartd via web address http://servername:2301/.
� When the server receives a connection request on http://servername:2301/,
smhstartd launches the Apache/SMH daemon via the following command.
/opt/hpws/apache/bin/httpd \
-k start \
-DSSL -f \
/opt/hpsmh/conf/smhpd.conf
Launching the SMH GUI via Autostart
� SMH web access is provided via an Apache web server daemon
� By default, SMH is configured to run in �autostart� mode
� A lightweight smhstartd daemon starts at boot time
� Users connect to smhstartd via web address http://server:2301/
� smhstartd launches the Apache/SMH daemon when needed
� smhstartd redirects each request via HTTPS to the Apache/SMH daemon
� Apache/SMH terminates after 30 minutes of inactivity
Enable SMH autostart
# smhstartconfig �a on �b off
Verify SMH autostart
# smhstartconfig
HPSMH 'autostart url' mode.........: ON
HPSMH 'start on boot' mode.........: OFF
Start Tomcat when HPSMH starts.....: OFF
Access the SMH from any web browser
# firefox http://servername.hp.com:2301/
Apache/SMH
Browser
smhstartd
http://server:2301/
https://server:2381/Module 2
Navigating the SMH
2-8
� smhstartd then redirects the client�s request to the newly-launched, SSL-enabled
Apache daemon at https://servername:2381/,
� smhstartd also launches an /opt/hpsmh/lbin/timeoutmonitor script, which
automatically terminates the Apache/SMH daemon after 30 minutes of inactivity. The
timeout period is configurable via the TIMEOUT_SMH variable in
/opt/hpsmh/conf/timeout.conf.
Autostart is the default SMH configuration mode. If another administrator disabled
autostart,
re-enable it via the smhstartconfig command. Then execute smhstartconfig again
without any options to verify your work.
# smhstartconfig �a on �b off
/etc/rc.config.d/hpsmh has been edited to enable
HPSMH to be autostarted using port 2301.
NOTE: HPSMH 'start on boot' mode is already disabled.
# smhstartconfig
If your organization�s security policy prohibits web servers on production servers,
you can
disable the SMH web interface entirely with the following commands:
# smhstartconfig -a off -b off
/etc/rc.config.d/hpsmh has been edited to disable
the autostarting of HPSMH using port 2301.
# smhstartconfig
HPSMH 'autostart url' mode.........: OFF
Changes made via smhstartconfig simply modify variables in the
/etc/rc.config.d/hpsmh file, which is read by the /sbin/init.d/hpsmh startup
script during the boot process. This file can also be edited directly with the vi
editor. After
making changes, be sure to re-run the startup script.
# vi /etc/rc.config.d/hpsmh
# /sbin/init.d/hpsmh startModule 2
Navigating the SMH
2-9
2�4. SLIDE: Launching the SMH GUI via Start-on-Boot
Student Notes
The previous slide explained how to launch the Apache/SMH daemon on an as-needed
basis
via SMH autostart. Administrators who wish to connect to the SMH directly via HTTPS
may
prefer to start the Apache/SMH daemon during the boot process and allow it to run
perpetually.
Autostart is the default SMH configuration mode. Use the smhstartconfig command to
enable and verify SMH start-on-boot.
# smhstartconfig -a off -b on
/etc/rc.config.d/hpsmh has been edited to enable
the 'start on boot' startup mode of HPSMH server.
# smhstartconfig
HPSMH 'start on boot' mode.........: ON
Launching the SMH GUI via Start-on-Boot
� Alternatively, configure the Apache/SMH daemon to run perpetually
� Apache/SMH daemon starts at boot time and runs perpetually
� Users connect directly to the Apache/SMH daemon via HTTPS
� Advantage: SMH clients can connect directly via HTTPS, avoiding a redirect
� Disadvantage: Apache runs perpetually on the system
Enable SMH start-on-boot
# smhstartconfig �a off �b on
Verify SMH autostart
# smhstartconfig
HPSMH 'start on boot' mode.........: ON
Access the SMH from any web browser
# firefox https://server:2381/
Apache/SMH
Browser
https://server:2381/Module 2
Navigating the SMH
2-10
If your organization�s security policy prohibits web servers on production servers,
you can
disable the SMH web interface entirely with the following commands:
# smhstartconfig -a off -b off
# smhstartconfig
Changes made via smhstartconfig simply modify variables in the
/etc/rc.config.d/hpsmh file, which is read by the /sbin/init.d/hpsmh startup
script during the boot process. This file can also be edited directly with the vi
editor. After
making changes, be sure to re-run the startup script.
# vi /etc/rc.config.d/hpsmh
# /sbin/init.d/hpsmh startModule 2
Navigating the SMH
2-11
2�5. SLIDE: Verifying the SMH Certificate
Student Notes
If the SMH start-on-boot functionality is enabled, users connect directly to the
SMH via
https://server:2381/. If SMH autostart functionality is enabled, users initially
connect
to http://server:2301/, then get redirected to https://server:2381/. In either
case, the user ultimately accesses the SMH server through an https Secure Socket
Layer
(SSL) connection.
Accessing the server via SSL ensures that:
� All communications between the browser and SMH server are encrypted, and
� Users can verify the identity of the SMH server to which they are connected.
Any time a web browser accesses a website via the HTTPS protocol, the web server
presents
a security �certificate�. The client browser compares the certificate provided by
the web
server with information obtained from a trusted �certificate authority� (CA) such
as
http://www.verisign.com.
Verifying the SMH Certificate
Browsers use security �certificates� to authenticate the identity of HTTPS servers
� By default, SMH uses �self-signed� security certificates
� Some administrators install certificates signed by a Certificate Authority (CA)
instead
If using �self-signed� certificates, browsers may display a security warning
Mozilla security certificate warning: IE security certificate warning:Module 2
Navigating the SMH
2-12
By default, SMH uses �self-signed� certificates, which are signed by the SMH server
itself
rather than a well-known CA. The browser can�t determine the authenticity of self-
signed
certificates, so it displays a warning similar to the messages shown on the slide.
If you see a
security certificate warning message, but your server and client reside on a
secure, trusted
network, you may choose to ignore the message and proceed with the connection.
For better security, security-conscious administrators prefer to install a �signed�
certificate
on the SMH server from a trusted CA. The process required to install a signed
certificate on
an SMH server is described on the SMH Settings->Security->Local Server
Certificate screen in the SMH interface.Module 2
Navigating the SMH
2-13
2�6. SLIDE: Logging into the SMH
Student Notes
After connecting to the SMH daemon, enter an authorized HP-UX username/password. By
default, only members of the HPUX root group can log into the SMH. User root is
typically
the only member of the root group. To determine which users belong to your system�s
root group, use nsquery.
# nsquery group root
No policy for group in nsswitch.conf.
Using "files nis" for the group policy.
Searching /etc/group for root
Group name: root
Group Id: 0
Group membership: root
Switch configuration: Terminates Search
A later slide in this chapter explains how to grant other user groups access to the
SMH, too.
Logging into the SMH
� After connecting to the SMH daemon, enter an authorized HP-UX username/password
� By default, only members of the HP-UX root group can log into the SMH
� Other HP-UX groups can optionally be granted access to the SMH, tooModule 2
Navigating the SMH
2-14
2�7. SLIDE: SMH Menus and Tabs
Student Notes
The SMH utilizes a tabbed interface.
� Use the �Home� tab, the default tab, to view summary system status information.
� Use the �Settings� tab to customize SMH security and add custom menu items.
� Use the �Tasks� tab to execute arbitrary commands on the server.
� Use the �Tools� tab to view and configure OS features.
� Use the �Logs� tab to launch SMH�s web-based log file viewers.
� Use the �Support� tab to access HP�s online IT Resource Center and user forums.
� Use the �Help� tab to learn more about the SMH.
The next few slides describe each tab in detail.
SMH Menus and Tabs
Which SMH
screen am I viewing?
General Host
Information
MP
Link
Icon
Legend
Refresh
Data
Toggle
Menu
Format
Return to Main Menu Logout Disable Timeout
SMH utilizes a tabbed interface
� Use the �Home� tab, the default tab, to view hardware/status information
� Use the �Settings� tab to customize SMH security and add custom menu items
� Use the �Tasks� tab to execute arbitrary commands on the server
� Use the �Tools� tab to view and configure OS features
� Use the �Logs� tab to launch SMH�s web-based log file viewers
� Use the �Support� and �Help� tabs to get help
Menu TabsModule 2
Navigating the SMH
2-15
The SMH banner graphic includes links to a number of other resources in the SMH,
too.
� On the far left, the SMH reports which SMH screen you are currently viewing.
� The next block reports your system hostname and model string.
� The next block provides a link to the Management Processor, which provides a
console
login interface that is required for some system administration tasks.
� Two icons on the far right enable you to select the SMH list or icon menu format.
� Two links above the menu format buttons take you back to the SMH �Home� screen,
or
log you out.
� The �Legend� link displays a legend that explains the meaning of the SMH icons.
� The �Refresh� link refreshes the current SMH screen when system conditions
change.
� By default, SMH sessions terminate after several minutes of inactivity. Click the
checkbox at top right to disable the auto-logout feature.Module 2
Navigating the SMH
2-16
2�8. SLIDE: SMH->Home (1 of 2)
Student Notes
The SMH �Home� tab summarizes the status of the cooling, power, memory, and other
hardware subsystems. The subsystems listed may vary somewhat from system model to
system model. To learn more about a subsystem, click the subsystem name.
To the left of each subsystem name, the SMH displays a color-coded icon that
represents the
subsystem�s health status. Click the �Legend� link in the SMH header, or see the
legend
included on the slide, to determine what each icon represents.
The oversize status icon at the top left of the SMH �Home� page summarizes the
overall
system status. In the sample system shown on the slide, one of the network
interface cards is
disconnected, which results in a minor warning for the network subsystem, and for
the
system as a whole.
Though not shown in the screenshot on the slide, the �Home� tab also includes a
�System
Configuration� box containing links to some of the commonly used SMH system
administration tools. A slide later in this chapter discusses tools in detail.
SMH->Home (1 of 2)
� The SMH �Home� tab summarizes the status of the system�s subsystems
� Click any subsystem for more detailed information
� Contents of the �Home� tab vary from model to model
� Click the �Legend� link to view an icon legendModule 2
Navigating the SMH
2-17
WBEM
The SMH collects status information about the operating system and the system
hardware via
Web Based Enterprise Management (WBEM) protocols and standards. WBEM is an industry
standard developed and used by multiple vendors. Most HP operating systems,
platforms
and devices include WBEM �providers� that provide information to SMH and other HP
management tools.
To learn more about HP�s WBEM providers and solutions, visit
http://www.hp.com/go/wbem. To learn more about WBEM standards and protocols,
visit http://www.dmtf.org/standards/wbem/.
Use the swlist command to see which WBEM providers are installed on your HP-UX 11i
v1,
v2, or v3 system.
# swlist -l product | grep -i wbem
LVM-Provider R11.23.007 LVM WBEM Provider
SCSI-Provider B.11.23.050 CIM/WBEM Provider for SCSI HBA
SGWBEMProviders A.01.00.00 HP Serviceguard WBEM Providers
WBEMP-LAN B.11.23.03 LAN Provider: CIM/WBEM Provider
WBEMServices A.02.00.11 WBEM Services CORE Product
vmProvider A.01.20.69 WBEM Provider for Integrity VM
HP adds new and updated WBEM providers in each media kit release. The latest WBEM
providers are also available on http://software.hp.com.Module 2
Navigating the SMH
2-18
2�9. SLIDE: SMH->Home (2 of 2)
Student Notes
From the SMH �Home� tab, you can click any subsystem link to view more detailed
information about that subsystem. The screenshot on the slide shows the physical
memory
subsystem detail, including the status, location, capacity, type, and serial number
of each
DIMM (Dual Inline Memory Module).
SMH->Home (2 of 2)
From the �Home� tab �
� Click a hardware subsystem (e.g.: �Physical Memory�) for more details
� Output varies from model to model
NOTE: screenshot has been formatted and truncated to fit the slideModule 2
Navigating the SMH
2-19
2�10. SLIDE: SMH->Tools (1 of 4)
Student Notes
The SMH �Tools� tab provides GUI interfaces for many common system administration
tasks.
The slide shows some of the tools included by default in the SMH.
Some tools launch GUI interfaces, some launch web interfaces, others run command
line
utilities. In the current release, some SMH tools launch legacy SAM interfaces,
too.
Supported tools vary from OS release to OS release.
SMH->Tools (1 of 4)
The �Tools� tab provides GUI interfaces for many common admin tasks
� Some tools launch GUI interfaces, some launch web interfaces, others run CLIs
� Supported tools vary from release to releaseModule 2
Navigating the SMH
2-20
Student Notes
In order to launch a tool, simply click the tool�s link on the SMH �Tools� tab.
The interface that follows varies from tool to tool. Most of the recently developed
tools use a
web interface similar to the �File System� tool shown on the slide.
� Click a tool (e.g.: �File Systems�) on the �Tools� tab.
� Select an object (e.g.: �/home�) from the resulting object list.
� Select an action (e.g.: �Unmount�) from the resulting action list on the right
side of the
screen.
� Provide the information requested in the dialog box that follows.
SMH->Tools (2 of 4)
To run a tool...
� Click a tool (e.g.: �File Systems�) on the �Tools� tab
� Select an object (e.g.: �/home�) from the resulting object list
� Select an action (e.g.: �Unmount�) from the resulting action list
� Provide the information requested in the dialog box that followsModule 2
Navigating the SMH
2-21
Student Notes
Tool dialog boxes vary from tool to tool.
Most include an explanation of the tool�s purpose, its limitations, and any
potential sideeffects.
Most include a �Preview� button that displays the HP-UX command(s) that will be
executed
by the tool.
SMH->Tools (3 of 4)
� Dialog boxes vary
from tool to tool
� Most include an
explanation of the tool
and it�s limitations and
side-effects
� Most include a
preview button that
displays the HP-UX
command(s) executed
by the toolModule 2
Navigating the SMH
2-22
Student Notes
Some SMH tools simply launch legacy SAM interfaces, or other GUI and CLI
applications.
Launching these types of tools displays a window similar to the dialog box shown on
the
slide. To use these tools:
� Select your preferred language from the pull-down menu. English users should
select
�C�.
� If the tool is GUI-based, enter your desktop system�s $DISPLAY name. Execute echo
$DISPLAY in a shell window to determine the appropriate display name.
� Look at the command preview at the bottom of the screen to determine which
command the tool executes.
� Click �Run�.
SMH->Tools (4 of 4)
Some SMH tools are simply wrappers for external non-web-based applications
� Select your preferred language
� Enter your desktop system�s $DISPLAY variable value
� Look at the command preview to determine which command the tool executes
� Click �Run�
NOTE: screenshot has
been formatted and
truncated to fit the slideModule 2
Navigating the SMH
2-23
What happens next varies from tool to tool. CLI-based tools simply execute the
command
and display the resulting STDOUT/STDERR output. Web-based tools run in a new
browser
window. X-based applications, such as the swinstall tool shown on the slide, launch
an Xbased interface similar to the swinstall interface below.Module 2
Navigating the SMH
2-24
2�14. SLIDE: SMH->Settings
Student Notes
The SMH has quite a few built-in tools. For even more flexibility, SMH allows the
administrator to add custom tools, too.
� Access the �Settings� tab.
� Click �Add Custom Menu�.
� Use the resulting dialog box to create the custom tool.
� Custom tools may be added to existing tool categories, or new custom categories.
� Custom tools may launch X applications, non-interactive CLI commands, or web-
based
applications.
� Custom tools may be configured to run as root when launched by non-root users.
� To execute a custom tool, just click the tool�s link as you would any other SMH
tool. CLIbased tools execute the command non-interactively and display the
resulting
SMH->Settings
The �Settings� tab allows you to add and remove your own custom tools, too
� Access the �Settings� tab
� Click �Add Custom Menu�
� Use the resulting dialog box to create the custom tool
� Custom tools may be added to existing SMH tool categories, or new custom
categories
� Custom tools may launch X applications, CLI commands, or web applications
� Custom tools may be configured to run as root when launched by non-root users
� Custom tools may be executed just like built-in SMH toolsModule 2
Navigating the SMH
2-25
STDOUT/STDERR output. Web-based tools run in a new browser window. GUI-based
tools open a new X-window.Module 2
Navigating the SMH
2-26
2�15. SLIDE: SMH->Tasks
Student Notes
The SMH �Settings� tab allows administrators to create permanent custom tools to
execute
frequently-used commands. The SMH �Task� tab allows administrators to execute one-
time
commands remotely, without permanently adding a tool to the SMH menus.
� Access the �Tasks� tab.
� Click �Launch� or �Run� and follow the prompts to run the program. Select your
preferred language from the pull-down menu. English users should select �C�. If the
tool
is GUI-based, enter your desktop system�s $DISPLAY name. Execute echo $DISPLAY
in a shell window to determine the appropriate display name.
� SMH reports the command�s STDERR and STDOUT output.
Use the �Tasks� tab to execute a single command through the SMH
� Access the �Tasks� tab
� Click �Launch� or �Run�, and follow the prompts to run the program
� SMH reports the command�s STDERR and STDOUT output
SMH->TasksModule 2
Navigating the SMH
2-27
2�16. SLIDE: SMH->Logs
Student Notes
SMH provides web-based log file viewers for viewing and filtering several common
system
log files.
� Access the �Logs� tab.
� Select a log file viewer (e.g.: �System Log Viewer�). Different log viewers may
have
slightly different interfaces. The steps below apply to the �System Log Viewer�,
which
displays the contents of the /var/adm/syslog/syslog.log log file. The
syslog.log file captures error, warning, and status messages from a variety of
subsystems and services.
- Use the �Select� tab to select a log file (e.g.: �syslog.log� vs.
�OLDsyslog.log�).
- Use the �Layout� and tab to customize the column layout, and use the �Filters�
tab to
filter the log file contents by date and time.
SMH->Logs
SMH provides web-based log file viewers for viewing some common system log files
� Access the �Logs� tab
� Select a log file viewer (e.g.: �System Log Viewer�)
� Use the �Select� tab to select a log file (e.g.: �syslog.log� vs.
�OLDsyslog.log�)
� Use the �Layout� and �Filters� tabs to customize the column layout
� Use the �Display� tab to view the log contents
� Log file viewer features for other log files may varyModule 2
Navigating the SMH
2-28
- Use the �Display� tab to view the log file contents. Use the scroll bar to move
forwards and backwards through the file. Use the �Search� text box to search the
file
for specific patterns.
- Log file viewer features for other log files may vary.
If you want to add log file viewers for other log files into the SMH, use the �Add
Custom
Menu� feature described previously, put the tool on the �Logs� page, and enter
�/usr/bin/cat /my/log/file/name� in the �Command/URL� field.Module 2
Navigating the SMH
2-29
2�17. SLIDE: SMH Group Access Control
Student Notes
Users must enter a valid HP-UX username/password in order to access the SMH. SMH
determines a user�s access rights (if any) via the user�s HP-UX group memberships.
By
default, only members of the root group can access the SMH. If other users such as
operators, backup administrators, or database administrators need access to the
SMH, use
the �Settings->Security->User Groups� menu to grant SMH access to other HP-UX
groups.
The �User Groups� menu offers three different access levels.
Members of groups that have SMH �Administrator� privileges can use all of the SMH
tools
and features, add custom tools, and grant SMH access rights to other user groups.
By default,
the SMH grants members of the root group SMH �Administrator� privileges.
Members of groups that have SMH �Operator� privileges can access most SMH tools and
features, but cannot add or remove custom tools, execute arbitrary tasks as root,
or modify
the SMH user, group, security, and authentication settings.
Members of groups that have SMH �User� privileges can use tools that display
information
but cannot use SMH tools to modify either the system or SMH configuration.
SMH Group Access Control
� Users must enter a valid HP-UX username/password in order to access the SMH
� SMH determines a user�s access rights (if any) via the user�s HP-UX group
memberships
� By default, only members of the root group can access the SMH
� Use Settings->Security->User Groups to grant SMH access to other HP-UX
groupsModule 2
Navigating the SMH
2-30
Access Control in the SMH TUI
The SMH TUI interface manages access control via a different mechanism. By default,
only
the administrator can launch the SMH TUI. To provide TUI access to non-root users,
launch
the TUI-based smh �r restricted SMH user configuration tool and select a user.
# smh -r
The privileges set for the user from the Text User Interface doesn't
apply to Graphical User Interface. System Management Homepage(SMH)
in Graphical User Interface has a different way of setting the
privileges. Please look at smh(1M) man page for more information
Do you want to continue (y/n) <y>: y
SMH->Restricted SMH->Select users
--------------------------------------------------------------------
Login Primary Has SAM
users Group privileges
====================================================================
user1 users Yes
user2 users No
user3 users No
user4 users No
user6 users No
user7 users No
user8 users No
user9 users No
user10 users No
--------------------------------------------------------------------
x-Exit smh ENTER-Select /-Search
r-Remove Privileges g-Display GroupsModule 2
Navigating the SMH
2-31
Next, specify which SMH functional areas the user should be allowed to access. Be
sure to
press s to save the selected privileges before exiting.
SMH->Restricted SMH->Functional Areas
Selected user : user1
--------------------------------------------------------------------
Functional Areas Access Status
====================================================================
Resource Management Disabled
Disks and File Systems Enabled
Display Disabled
Kernel Configuration Disabled
Printers and Plotters Disabled
Networking and Communications Disabled
Peripheral Devices Disabled
Security Attributes Configuration Disabled
Software Management Disabled
Auditing and Security Disabled
Accounts for Users and Groups Disabled
--------------------------------------------------------------------
x-Exit smh Esc-Back s-Save Privileges D-Disable All
e-enable d-disable E-Enable All
The user should then be able to run /usr/sbin/smh and access the selected SMH
functional areas.Module 2
Navigating the SMH
2-32
2�18. SLIDE: SMH Authentication
Student Notes
Security conscious system administrators can enable additional SMH authentication
features
via other links on the �Settings->Security� menu.
Local/Anonymous Access
Anonymous Access enables a user to access the System Management Homepage without
logging in. This feature is disabled by default. HP does not recommend enabling
anonymous
access.
Local Access enables local users to access the System Management Homepage without
being
challenged for authentication.
If Local Access/Anonymous is selected, any local user has access limited to
unsecured pages
without being challenged for a username and password.
If Local Access/Administrator is selected, any user with access to the local
console is granted
full access to all SMH features.
SMH Authentication
� Anonymous/Local Access:
Allow local and/or remote users to access the SMH without providing a
username/password
� IP Binding:
Only allow users to access SMH from selected networks
� IP Restricted login:
Only allow users to access SMH from selected IP addresses
� Local Server Certificate:
Import a security certificate for the SMH server from a third party
� Timeouts:
Specify SMH session timeout values
� Trust Mode:
Determine how SMH authenticates configuration requests from remote
SIM servers
� Trusted Management Servers:
Import security certificates for SIM servers, if using SIM to remotely
manage SMH nodes
Security conscious system administrators can enable
additional SMH authentication features via other links on
the Settings->Security menuModule 2
Navigating the SMH
2-33
IP Binding
IP Binding specifies which IP networks and subnets the System Management Homepage
accepts requests from. A maximum of five subnet IP addresses and netmasks can be
defined.
The System Management Homepage allows access from 127.0.0.1. If IP Binding is
enabled
and no subnet/mask pairs are configured, then the System Management Homepage is
only
available to 127.0.0.1. If IP Binding is not enabled, users can access the SMH from
any
network or subnet.
IP Restricted login
IP Restricted Login allows the administrator to specify a semi-colon separated list
of IP
address ranges that should be explicitly allowed or denied SMH access.
If an IP address is excluded, it is excluded even if it is also listed in the
included box. If there
are IP addresses in the inclusion list, then only those IP addresses are allowed
log-in access
with the exception of localhost. If no IP addresses are in the inclusion list, then
log-in access
is allowed to any IP addresses not in the exclusion list.
Local Server Certificate
When a user connects to the server�s SMH, the client browser uses public/private
key
authentication to verify that the browser connected to the legitimate server. SMH
uses �selfsigned� certificates by default. For greater security, SMH administrators
can obtain
authentication keys for the SMH server from a third party Certificate Authority.
The SMH
help screens explain this process in detail.
Timeouts
Use this feature to change SMH session and interface timeout values.
Trust Mode
HP Systems Insight Manager (SIM) is an HP product that allows administrators to
monitor
and manage multiple servers and devices from a central management station. The next
slide
provides a brief overview of SIM functionality. SIM utilizes SMH for some
management
tasks. The SMH �Trust Mode� screen determines how SMH authenticates requests
received
from remote servers.
Trusted Management Servers
If the SMH �Trust Mode� described above requires public/private key authentication
of SIM
servers, use the �Trusted Management Servers� link in SMH to import certificates
from the
SIM server.
User Groups
See the previous slide for a discussion of SMH User Groups.Module 2
Navigating the SMH
2-34
2�19. SLIDE: SMH and SIM Integration Possibilities
Student Notes
HP SMH provides an intuitive web interface for managing a single HP system. HP
Systems
Insight Manager provides an intuitive web interface for managing multiple HP
servers and
devices from a consolidated central management interface.
SIM manages all HP-supported operating systems, and most HP-supported devices,
including
storage devices, blade servers, Proliant Windows/Linux servers, blade enclosures
and
servers, and much more.
SIM integrates with the SMH, and can seamlessly launch any HP Windows/Linux/HP-UX
server�s SMH.
SIM consolidates status, log, and other information from multiple nodes. In large
environments, this consolidated monitoring greatly simplifies monitoring and
troubleshooting tasks.
SIM provides robust role-based security, using single-sign-on key-based
authentication, so
authorized administrators can seamlessly access multiple servers in a secure
fashion without
entering multiple usernames and passwords.
SMH and SIM Integration Possibilities
HP SMH provides an intuitive web interface for managing a single system
HP SIM provides an intuitive web interface for managing multiple systems
� SIM manages all HP-supported operating systems, and most HP-supported devices
� SIM can automatically, seamlessly launch any server�s SMH page
� SIM consolidates status, log, and other information from multiple nodes
� SIM provides robust role based security and key-based authentication
� SIM is included with HP-UX; other licensed plug-ins provide even greater
functionalityModule 2
Navigating the SMH
2-35
Basic SIM functionality is included with HP-UX. Some customers purchase additional
SIM
plug-ins for even greater flexibility.
For more information about SIM, attend HP Education�s HB508S �HP-UX Systems Insight
Manager� class, or visit the SIM product page at http://www.hp.com/go/hpsim.Module
2
Navigating the SMH
2-36
2�20. SLIDE: For Further Study
Student Notes
For Further Study
Course from HP Customer Education:
HB508S HP Systems Insight Manager (SIM) for HP-UX
Manuals on http://docs.hp.com:
HP System Management Homepage User Guide
HP System Management Homepage Installation Guide
HP System Management Homepage Release NotesModule 2
Navigating the SMH
2-37
2�21. LAB: Configuring and Using the System Management
Homepage
Directions
Carefully follow the instructions below and record your answers in the spaces
provided.
Part 1: Configuring SMH autostart functionality
1. Verify that the SysMgmtWeb product is installed on your system.
# swlist SysMgmtWeb
# swconfig �x reconfigure=true SysMgmtHomepage.*
2. Use smhstartconfig to determine which SMH startup mode is enabled by
default.Module 2
Navigating the SMH
2-38
Part 2: Accessing the SMH (Internet Explorer)
Depending on your lab equipment setup, your instructor will tell you to do either
lab Part 2 or
Part 3.
1. Launch the Internet Explorer web browser and point it to the SMH autostart URL,
http://server_ip:2301/. Replace server_ip with your server's IP address.
a. If you are accessing your lab system remotely via a Virtual Lab portal server,
launch
the portal�s Internet Explorer via the browser link on the VL webtop. In some VL
environments, there may be an SMH link on the webtop that opens a browser directly
to the SMH.
b. If you are accessing your lab system from a PC that has full network
connectivity to
your lab system, launch Internet Explorer on your PC.
2. If asked if you wish to be redirected to �view pages over a secure connection�,
click
[OK].
You should see a �Security Alert� indicating that the security certificate provided
by the
SMH server was �issued by a company you have not chosen to trust�.
By default, the SMH uses �self-signed� authentication certificates, issued by the
SMH
server itself. It�s possible to obtain a security certificate for the SMH server
from a third
party �Certificate Authority�; for the sake of the lab, we�ll use the self-signed
certificate.
When asked if you want to proceed, click [Yes].
3. Login as user root on the SMH login page. If your browser�s status bar is
enabled, note
the padlock icon in the bottom right corner of the browser window indicating that
the
connection to the server is secure.Module 2
Navigating the SMH
2-39
Part 3: Accessing the SMH (Firefox; Mozilla is still available)
lab Part 2 or
Part 3.
1. Launch a Firefox web browser.
2. Point your web browser to the SMH autostart URL, http://server:2301/.
Replace server with your fully-qualified server hostname.
3. A window titled �Website Certified by an Unknown Authority� window may appear.
SMH
from a third
certificate.
a. Click the �Accept this certificate permanently� radio button to permanently
accept
the self-signed certificate from the SMH server.
b. Click [OK] to proceed past the �Website Certified by an Unknown Authority�
window.
c. A �Security Warning� message should appear indicating that you �have requested
an
encrypted page�. Click [OK] to proceed to the SMH login screen.
4. Login as user root on the SMH login page. Note the padlock icon in the bottom
right
corner of the browser window, indicating that you are connected to the server via a
secure connection.Module 2
Navigating the SMH
2-40
Part 4: Navigating the SMH web interface
Use the SMH to complete the tasks below. If you wish, explore other SMH pages of
interest,
too.
1. Use the SMH �Home� tab links to view detailed status reports on some of your lab
system�s hardware components.
2. Use the SMH �Home� tab links to view detailed reports of your lab system�s
process
information, networking information, and memory utilization.
3. Navigate to the SMH �Tools� tab and use the Defragment Extents link to
�defragment� the /home file system.
4. Navigate to the SMH �Tasks� tab and use the Run Command as Root link to execute
/usr/bin/passwd �f user1, which forces user1 to change his/her password at
next login.
5. Navigate to the SMH �Logs� tab and use the System Log Viewer link to view all
lines
in /var/adm/syslog/syslog.log that contain the string inetd.Module 2
Navigating the SMH
2-41
Part 5: Creating custom SMH tools (Optional)
SMH includes quite a few built-in features. For even greater flexibility, though,
SMH also
allows the system administrators to create custom SMH tools on any SMH screen.
1. Access the SMH �Settings� screen.
2. Click Add Custom Menu.
3. From the Type pulldown menu, select Command Line.
4. From the Page pulldown menu, select Tools.
5. In the Category field, enter Disks and File Systems.
6. In the Tool Name field, enter Purge /tmp.
7. In the Command/URL field enter the following command, which purges all files
from
/tmp which haven�t been accessed in at least seven days:
/usr/bin/find /tmp �type f �atime +7 �exec rm +
8. Click [Add].
9. Access the SMH �Tools� tab.
10. In the Disk & File Systems category, click the new Purge /tmp tool.
11. Click [Run] to run the tool.Module 2
Navigating the SMH
2-42
Part 6: Cleanup
Close your SMH browser window before proceeding to the next chapter.Module 2
Navigating the SMH
2-43
2�22. LAB SOLUTIONS: Configuring and Using the System
Management Homepage
Directions
Carefully follow the instructions below and record your answers in the spaces
provided.
Part 1: Configuring SMH autostart functionality
1. Verify that the SMH product is installed and configured on your system.
# swlist SysMgmtWeb
# swconfig �x reconfigure=true SysMgmtHomepage.*
2. Use smhstartconfig to determine which SMH startup mode is enabled by default.
Answer:
# smhstartconfig
Autostart mode is the default SMH startup mode.Module 2
Navigating the SMH
2-44
Part 2: Accessing the SMH (Internet Explorer)
lab Part 2 or
Part 3.
1. Note that when performing these labs in the HP Virtual Lab, there is an SMH
button in the
HPVL Reservation Window that will open an SMH browser window.
The other method is to launch the Internet Explorer web browser and point it to the
SMH
autostart URL, http://server_ip:2301/. Replace server_ip with your server's IP
address.
a. If you are accessing your lab system remotely via a Virtual Lab portal server,
launch
the portal�s Internet Explorer via the browser link on the VL webtop. In some VL
environments, there may be an SMH link on the webtop that opens a browser directly
to the SMH.
b. If you are accessing your lab system from a PC that has full network
connectivity to
your lab system, launch Internet Explorer on your PC.
2. If asked if you wish to be redirected to �view pages over a secure connection�,
click
[OK].
a. You should see a �Security Alert� indicating that the security certificate
provided by
the SMH server was �issued by a company you have not chosen to trust�.
SMH
from a
third party �Certificate Authority�; for the sake of the lab, we�ll accept the
self-signed
certificate.
When asked if you want to proceed, click [Yes].
3. Login as user root on the SMH login page. If your browser�s status bar is
enabled, note
the padlock icon in the bottom right corner of the browser window indicating that
the
connection to the server is secure.Module 2
Navigating the SMH
2-45
Part 3: Accessing the SMH (Firefox; Mozilla is still available)
lab Part 2 or
Part 3.
1. Launch Firefox web browser.
2. When performing these labs in the HP Virtual Lab, there is an SMH button in the
HPVL
Reservation Window that will open an SMH browser window.
The other method is to point your web browser to the SMH autostart URL,
http://server:2301/. Replace server with your fully-qualified server hostname.
3. A window titled �Website Certified by an Unknown Authority� window may appear.
SMH
from a third
certificate.
a. Click the �Accept this certificate permanently� radio button to permanently
accept
the self-signed certificate from the SMH server.
b. Click [OK] to proceed past the �Website Certified by an Unknown Authority�
window.
c. A �Security Warning� message should appear indicating that you �have requested
an
encrypted page�. Click [OK] to proceed to the SMH login screen.
4. Login as user root on the SMH login page. Note the padlock icon in the bottom
right
corner of the browser window, indicating that you are connected to the server via a
secure connection.Module 2
Navigating the SMH
2-46
Part 4: Navigating the SMH web interface
Use the SMH to complete the tasks below. If you wish, explore other SMH pages of
interest,
too.
1. Use the SMH �Home� tab links to view detailed status reports on some of your lab
system�s hardware components.
2. Use the SMH �Home� tab links to view detailed reports of your lab system�s
process
information, networking information, and memory utilization.
3. Navigate to the SMH �Tools� tab and use the Defragment Extents link to
�defragment� the /home file system.
Answer:
a. Navigate to the SMH �Tools� tab.
b. Click the File Systems link.
c. Select the radio button for the /home file system.
d. Click the Defragment Extents link. You may have to scroll to the bottom right
corner of the SMH screen to see this link.
e. Review the comments and command preview.
f. Click [Defragment] to proceed with the defragmentation.
g. There shouldn�t be any output or errors.
h. Click [Back] to return to the file system list.
4. Navigate to the SMH �Tasks� tab and use the Run Command as Root link to execute
/usr/bin/passwd �f user1, which forces user1 to change his/her password at
next login.
Answer:
a. Navigate to the SMH �Tasks� tab and click the Run Command as Root link.
b. Enter C in the Language field.
c. Enter /usr/bin/passwd �f user1 in the Command field.
d. Click [Run].
e. Click [Back] when the command completes.Module 2
Navigating the SMH
2-47
5. Navigate to the SMH �Logs� tab and use the System Log Viewer link to view all
lines
in /var/adm/syslog/syslog.log that contain the string inetd.
Answer:
a. Navigate to the SMH �Logs� tab and click the System and Consolidated Log
Viewer link.
b. On the Select tab, select the /var/adm/syslog/syslog.log file.
c. On the Filters tab, enter inetd in the Search field.
d. Click the Display tab to view the results.Module 2
Navigating the SMH
2-48
Part 5: Creating custom SMH tools (Optional)
SMH includes quite a few built-in features. For even greater flexibility, though,
SMH also
allows the system administrators to create custom SMH tools on any SMH screen.
1. Access the SMH �Settings� screen.
2. Click Add Custom Menu.
3. From the Type pulldown menu, select Command Line.
4. From the Page pulldown menu, select Tools.
5. In the Category field, enter Disks and File Systems.
6. In the Tool Name field, enter Purge /tmp.
7. In the Command/URL field enter the following command, which purges all files
from
/tmp which haven�t been accessed in at least seven days:
/usr/bin/find /tmp �type f �atime +7 �exec rm +
8. Click [Add].
9. Access the SMH �Tools� tab.
10. Click the new Purge /tmp tool.
11. Click [Run] to run the tool.Module 2
Navigating the SMH
2-49
Part 6: Cleanup
Close your SMH browser window before proceeding to the next chapter.Module 2
Navigating the SMH
3-1
Module 3 ? Managing Users and Groups
Objectives
� List the minimum requirements for a user account.
� Identify each field in the /etc/passwd file.
� Identify each field in the /etc/shadow file.
� Identify each field in the /etc/group file.
� Create, modify, and remove user accounts.
� Create, modify, and remove user groups.
� Deactivate and reactivate a user account.
� Configure shadow passwords.
� Configure password aging.
� Customize default user account security attributes in /etc/default/security.
� Customize default user shell startup scripts in /etc/skel/.Module 3
3-2
3�1. SLIDE: User and Group Concepts
Student Notes
In order to gain access to an HP-UX system and its resources, users are required to
log in. By
controlling access to your system, you can prevent unauthorized users from running
programs that consume resources, and control access to the data stored on your
system.
Every user on an HP-UX system is assigned a unique username, password, and User
Identification (UID) number. HP-UX uses the user�s UID number to determine which
files
and processes are associated with each user on the system.
Every user is also assigned a primary group membership and, optionally, up to 20
additional
group memberships. HP-UX grants access to files and directories based on a user�s
UID and
the groups to which the user belongs.
Use the id command to determine a user�s UID and primary group membership.
# id user1
uid=301(user1) gid=301(class)
User and Group Concepts
S Users
ue
Jim
Frank
Sales
Marie
Bob
Develop
Frank
Jean Sue AnnModule 3
3-3
Use the groups command to determine a user�s secondary group memberships.
# groups user1
class class2 users
This chapter describes the configuration files that define user accounts and
groups, and the
commands required to manage those files.Module 3
3-4
3�2. SLIDE: What Defines a User Account?
Student Notes
User accounts are defined in the /etc/passwd file. Each line in the /etc/passwd
file
identifies a user�s username, password, User ID, primary group, home directory, and
other
critical user-specific information.
Some users may belong to multiple user groups. The /etc/passwd file defines each
user�s
primary group membership. The /etc/group file defines additional group memberships.
Finally, most users have a home directory under /home, beneath which they can store
their
personal files and directories.
What Defines a User Account?
user1:btp2SLRCK70es:1001::::::
/etc/shadow (optional; strongly recommended to enable)
users::20:
accts::1001:user1,user2
sales::1002:user1,user2,user3,user4,user5,user6
/etc/group
/home
user1 user2 user3
user1:x:1001:20:111-1111:/home/user1:/usr/bin/sh
/etc/passwdModule 3
3-5
3�3. SLIDE: The /etc/passwd File
Student Notes
The /etc/passwd file contains a one-line entry for each authorized user account.
All fields
are delimited by colons (:).
Username The username that is used when a user logs in. The first character in each
username should be alphabetic, but remaining characters may be
alphabetic or numeric. Usernames are case sensitive.
In 11i v1 and v2, the username must be 1-8 characters in length. If a name
contains more than eight characters, only the first eight are significant.
11i v3 supports usernames up to 255 characters in length. However, this
functionality must be manually enabled by temporarily stopping the pwgrd
password hashing daemon, executing the lugadmin (long username
groupname) command, and restarting pwgrd. This process shouldn�t
impact existing users or running processes. Once enabled, long usernames
cannot be disabled.
The /etc/passwd File
root:qmAj8as.,8a3e:0:3::/:/sbin/sh
daemon:*:1:5::/:/sbin/sh
user1:AdOK60AazRgXU:1001:1001:111-1111:/home/user1:/usr/bin/sh
Use /usr/sbin/vipw to edit /etc/passwd
Use /usr/sbin/pwck to check the /etc/passwd file syntax
Username Password UID GID Comments Home Directory Shell
/etc/passwd (r--r--r--)
/etc/passwd contains a one-line definition of each valid user accountModule 3
3-6
# /sbin/init.d/pwgr stop
pwgrd stopped
# lugadmin �e
Warning: Long user/group name once enabled cannot
be disabled in future.
Do you want to continue [yY]: y
lugadmin: Note: System is enabled for
long user/group name
# /sbin/init.d/pwgr start
pwgrd started
To determine if long usernames are enabled, execute lugadmin �l. 64
indicates that the maximum username length is 8 characters. 256 indicates
that long usernames are enabled.
# lugadmin �l
256
Commands such as who, ll, and ps that display usernames may truncate
usernames greater than 8 characters. The user represented in the who
output below has username ThisIsALongName.
$ who
ThisIsA+ console Jun 13 13:27
Long usernames may cause problems for scripts and applications that
attempt to parse the output from these commands or the contents of the
/etc/passwd file.
Password The encrypted password. You can encrypt a new password for a user via
the passwd command. /etc/passwd supports user passwords up to
eight characters.
If the password field is empty, the user can login without entering a
password.
An asterisk (*) in the password field deactivates an account. Nothing you
can type will encrypt to an asterisk, so, no one can log in using the
associated login name.
User ID Each user must be assigned a user ID. User ID 0 is reserved for root, and
UIDs 1-99 are reserved for other predefined accounts required by the
system. SAM, SMH, and ugweb automatically assign UID numbers when
creating new groups.
Version 10.20 of HP-UX introduced support for User IDs as large as
2,147,483,646. Prior to HP-UX 10.20, UIDs greater than 60,000 were not
supported. To determine your system�s maximum UID, check the MAXUIDModule 3
3-7
parameter in /usr/include/sys/param.h.
Using large UIDs may cause problems when sharing files with other
systems that do not support large UIDs.
Group ID The user�s primary group ID (GID). This number corresponds with an
entry in the /etc/group file. See the /etc/group discussion later in the
chapter for more information.
Comments The comment field. It allows you to add extra information about the users,
such as the user's full name, telephone extension, organization, or building
number.
Home directory The absolute path to the directory the user will be in when they log
in. If
this directory does not exist or is invalid, then the user�s home directory
becomes /.
Command The absolute path of a command to be executed when the user logs in.
Typically, this is a shell. The shells that are usually used are
/usr/bin/sh, /usr/bin/ksh, and /usr/bin/csh. Administrators
must use the/sbin/sh POSIX shell. Most non-root users should use the
/usr/bin/sh POSIX shell. If the field is empty, the default is
/usr/bin/sh.
The command entry does not have to be a shell. For example, you can
create the following entry in /etc/passwd:
date:rc70x.4.hGJdc:20:1::/:/usr/bin/date
The command is /usr/bin/date. If you type date at the login prompt,
then type the appropriate password, the system will run the
/usr/bin/date command, and then log you out.
NOTE: The permissions on the passwd file should be read only (r--r--r--) and
the owner must be root.
Required Entries in /etc/passwd
Several entries are required in /etc/passwd to support various system daemons and
processes. The list below lists the most critical required user accounts; other may
be
required, too, to support your system�s applications.
root:rZ1lps2JYh3iA:0:3::/:/sbin/sh
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucicoModule 3
3-8
hpdb:*:27:1:ALLBASE:/:/sbin/sh
nobody:*:-2:60001::/:
Editing /etc/passwd
If you are using vi to edit /etc/passwd and a user attempts to change a password
while
you are editing, the user's change will not be entered into the file. To prevent
this situation,
use vipw when editing /etc/passwd.
# vipw
This command puts a lock on the /etc/passwd file by copying /etc/passwd to
/etc/ptmp. If a user attempts to change a password, he or she will be told that the
passwd
file is busy. When you leave vipw, some automatic checks are done, and if your
changes are
correct, the temporary file is moved to /etc/passwd. Otherwise, /etc/passwd will
remain unchanged.
Checking the /etc/passwd File
The consistency of the /etc/passwd file can be checked with the /usr/sbin/pwck
command. It will check for the number of fields in each entry, and whether login
directory
and optional program name exist, and validate the number of fields, login name,
user ID and
group ID.
# pwck
[/etc/passwd] user1:fnnmD.DGyptLU:301:301:student:/home/user1
Too many/few fieldsModule 3
3-9
3�4. SLIDE: The /etc/shadow File
Student Notes
The default permissions on the /etc/passwd file are r--r--r--. Since the file is
worldreadable, anyone with a valid login can view the file and view encrypted
passwords. Hackers
sometimes exploit this fact to extract a list of encrypted passwords and run a
password
cracking utility to gain access to other users� accounts.
Unfortunately, removing world-read permission on the /etc/passwd file isn�t a
viable
solution to this problem. Many commands, from login, to ps, to ll use the
/etc/passwd
file to convert UIDs to usernames, and vice versa. Changing the /etc/passwd file
permissions to 400 would cause these commands to fail.
HP�s shadow password functionality addresses this problem by moving encrypted
passwords
and other password information to the /etc/shadow file, which has 400 permissions
to
ensure that it is only readable by root. Other user account information (UIDs,
GIDs, home
directory paths, and startup shells) remain in the /etc/passwd file to ensure that
login,
ps, ll, and other commands can still convert UIDs to usernames.
The /etc/shadow File
user1:AdOK60AazRgXU:12269:70:140:70:35::
/etc/shadow (r--------)
Install the ShadowPassword product (only necessary in 11i v1)
Use /usr/sbin/pwck to verify your current /etc/passwd file syntax
Use /usr/sbin/pwconv to move passwords from /etc/passwd to /etc/shadow
Use /usr/sbin/pwunconv to move passwords back to /etc/passwd
Last
Changed
Max
Days
Inactive
Days
Min
Days
Warn
Name User Encrypted Password Days Unused
y Passwords can optionally be stored in /etc/shadow
y/etc/shadow is more secure than /etc/passwdModule 3
3-10
Configuring Shadow Passwords
By default, the /etc/shadow file doesn�t exist. Use the cookbook below to convert
to a
shadow password system:
1. Shadow password support is included by default in 11i v2 and v3. HP-UX 11i v1
administrators, however, must download and install the ShadowPassword patch bundle
from http://software.hp.com/. Use the swlist command to determine if the
product has already been installed.
# swlist ShadowPassword
2. Run pwck to verify that there aren�t any syntax errors in your existing
/etc/passwd file.
# pwck
3. Use the pwconv command to move your passwords to the /etc/shadow file.
# pwconv
*Warning*: There is a restriction on the use of shadow password
functionality in this release of HP-UX. Failure to consider this
limitation may lead to an inability to log in to the system after
the conversion is performed. A system converted to use shadow
passwords is not compatible with any repository other than files
and ldap. This means that the passwd entry in the nsswitch.conf
file must not contain nis, nis+, or dce.
Would you like to proceed with the conversion? (yes/no): yes
4. Verify that the conversion succeeded. The /etc/passwd file should remain
worldreadable, but the /etc/shadow file should only be readable by root. The
encrypted
passwords in /etc/passwd should have been replaced by �x�s.
# ll /etc/passwd /etc/shadow
-r--r--r-- 1 root sys 914 May 18 14:35 /etc/passwd
-r-------- 1 root sys 562 May 18 14:35 /etc/shadow
5. You can revert to the traditional non-shadowed password functionality at any
time via the
pwunconv command.
# pwunconv
All of the standard password commands, including passwd, useradd, usermod, userdel,
and pwck are shadow password aware.Module 3
3-11
Fields in /etc/shadow
The /etc/shadow file is an ASCII file consisting of any number of user entries
separated by
newlines. Each user entry line consists of the following fields separated by
colons:
username Each login name must match a username in /etc/passwd. In 11i v3,
/etc/shadow is compatible with long usernames as described on the
/etc/passwd slide previously.
password When you convert to a shadowed system, each password in /etc/passwd is
replaced with an �x�, and the encrypted passwords are copied to the second
field in /etc/shadow. If the /etc/shadow password field is null, then there
is no password and no password is demanded on login. Login can be
prevented by entering a �*� in the /etc/shadow password field.
last changed The number of days since January 1, 1970 that the password was last
modified. This field is used by the password aging mechanism, which will be
described later in the chapter.
min days The minimum number of days that a user must retain a password before it
can
be changed. This field is used by the password aging mechanism, which will
be described later in the chapter.
max days The maximum number of days for which a password is valid. A user who
attempts to login after his password has expired is forced to supply a new one.
If min days and max days are both zero, the user is forced to change his
password the next time he logs in. If min days is greater than max days, then
the password cannot be changed. These restrictions do not apply to the
superuser. This field is used by the password aging mechanism, which will be
described later in the chapter.
warn days The number of weeks the user is warned before his password expires. This
field is used by the password aging mechanism, which will be described later
in the chapter.
inactivity The maximum number of days of inactivity allowed after a password has
expired. The account is locked if the password is not changed within the
specified number of days after the password expires. If this field is set to zero,
then the user is required to change his password. This field is only used by
HP-UX trusted systems, which aren�t discussed in this course.
expiration The absolute number of days since Jan 1, 1970 after which the account is
no
longer valid. A value of zero in this field indicates that the account is locked.
reserved The reserved field is always null, and is reserved for future use.Module 3
3-12
Editing /etc/shadow
Manually editing the /etc/shadow file isn�t recommended. On a shadow password
system,
you should use the useradd, usermod, userdel, and passwd commands to manage user
accounts in both /etc/passwd and /etc/shadow. These commands will be described in
detail later in the chapter.
Enabling SHA-512 Passwords in /etc/shadow
Traditionally, HP-UX has used a variation of the DES encryption algorithm to
encrypt user
passwords in /etc/passwd. HP-UX 11i v2 and v3 now support the more secure SHA-512
algorithm if you install the Password Hashing Infrastructure patch bundle from
http://software.hp.com. HP-UX 11i v3 also supports long passwords up to 255
characters if you add the LongPass11i3 patch bundle, too. Use the following
commands to
determine if your system has these patch bundles:
In 11i v2:
# swlist SHA
In 11i v3:
# swlist PHI11i3 LongPass11i3
These patches are not available for 11i v1.
After installing the software, add the following two lines to /etc/default/security
to
enable SHA512 password hashing:
# vi /etc/default/security
CRYPT_DEFAULT=6
CRYPT_ALGORITHMS_DEPRECATE=__unix__
The lines above ensure that when passwords are created or changed, HP-UX always
uses the
new SHA-512 algorithm rather than the legacy 3DES __unix__ algorithm. Existing
users
can continue using their legacy passwords until their passwords expire, or until
they
manually change their passwords.
As users change their passwords, note that the resulting passwords in /etc/shadow
become much longer. The $6$ prefix in the second password field below indicates
that the
password was encrypted via SHA-512.
Before: user1:9oTPronwCKT9w:14370::::::
After: user1:$6$At65DRDJ$e9MfDCRnMMyJp1OeaOlzgslSyaXmzmS1TgGdni8
SUqrYYPvGSZXZNh/Ov0O5RdMgCe3Vap5DApx0zpr6XB190.:14370::::::
This functionality only works on systems that store passwords in /etc/shadow rather
than
/etc/passwd.Module 3
3-13
NIS and NIS+ are incompatible with this feature, as are some third party
applications that
directly parse encrypted passwords.
Enabling Long Passwords in /etc/shadow
On 11i v3 systems, you can also enable long passwords up to 255 characters in
length by
adding this line to /etc/default/security:
CRYPT_DEFAULT=6
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LONG_PASSWORD=1
This functionality only works on systems that store passwords in /etc/shadow, and
that
have the SHA512 password functionality enabled.
See the HP-UX Password Hashing Infrastructure Release Notes on http://docs.hp.com
for more information, the HP-UX LongPassword page on http://software.hp.com, and
HP HP-UX Security (H3541S) on http://www.hp.com/education course to learn more
about these features.Module 3
3-14
3�5. SLIDE: The /etc/group File
Student Notes
When a user logs in on HP-UX system, HP-UX checks the GID field in the user's
/etc/passwd entry to determine the user�s primary group membership. The /etc/group
file determines a user�s secondary group memberships.
Users will be granted group access rights to any file associated with either their
primary or
secondary groups.
New files and directories that the user creates will, by default, be assigned to
the user�s
primary group. Users who prefer to associate new files and directories with a
secondary
group can use the newgrp command to temporarily change their GID.
# newgrp sales
The /etc/group File
other::1:root,daemon,uucp,sync
users::20:
accts::1001:user1,user2
sales::1002:user1,user2,user3,user4,user5,user6
Use /usr/bin/vi to edit /etc/group
Use /usr/sbin/grpck to check the /etc/group file syntax
Group GID Members
y/etc/passwd determines a user�s primary group membership
y/etc/group determines a user�s secondary group membershipsModule 3
3-15
To return to the primary group, run newgrp without any options.
# newgrp
To determine which groups a user belongs to, use the groups command.
# groups user1
sales accts
/etc/group File Format
The colon delimited /etc/group file defines user groups.
group_name is the mnemonic name associated with the group. If you ll a file, you
will see
this name printed in the group field.
In 11i v1 and v2, group names may only be 8 characters in length. In 11i v3,
the lugadmin command enables long group names up to 255 characters.
password may contain an encrypted group-level password in earlier versions, but is
no
longer used.
group_id is the group ID (GID). This is the number that should be placed in the
/etc/passwd file in the group_id field.
GIDs 1-99 are reserved for other predefined groups required by the system.
SAM, SMH, and ugweb automatically assign GID numbers when creating
new groups.
Version 10.20 of HP-UX introduced support for GIDs as large as
2,147,483,646. Prior to HP-UX 10.20, GIDs greater than 60,000 were not
supported. To determine your system�s maximum UID, check the MAXUID
parameter in /usr/include/sys/param.h.
Using large GIDs may cause problems when sharing files with other systems
that don�t support large UIDs.
group_list is a list of usernames of users who are members of the group. A user's
primary group is defined in the fourth field of /etc/passwd, not in the
/etc/group file.
Each member can be a member of up to 20 secondary groups. This limit is
determined by the NGROUPS_MAX parameter in
/usr/include/limits.h. Also, each line in the /etc/group file can be
no more than 2048 characters, as defined by the LINE_MAX parameter in
/usr/include/limits.h.Module 3
3-16
Required Entries in /etc/group
root::0:root
other::1:root,hpdb
bin::2:root,bin
sys::3:root,uucp
adm::4:root,adm
daemon::5:root,daemon
mail::6:root
lp::7:root,lp
tty::10:
nuucp::11:nuucp
nogroup:*:-2:
For more information on the /etc/group file, see group(4) in the HP-UX Reference
manual.
Checking the /etc/group File
The consistency of the /etc/group file can be checked with the /usr/sbin/grpck
command. It will check for the number of fields in each entry, and whether all
login names
appear in the password file.
# grpck
users::20:root,user101
user101 - Logname not found in password fileModule 3
3-17
3�6. SLIDE: Creating User Accounts
Student Notes
The useradd command provides a convenient mechanism for adding user accounts.
Without any options, useradd simply adds a user to the /etc/passwd file using all
of the
user account defaults:
# useradd user1
# grep user1 /etc/passwd
user1:x:101:20::/home/user1:/sbin/sh
Most administrators choose to override one or more of these defaults via some
combination
of the command line options listed below:
-o -u uid -u specifies the User ID (UID) for the new user. uid must be a
nonnegative integer less than MAXUID as it is defined in the
/usr/include/sys/param.h header file. uid defaults to the next
available unique number above the maximum currently assigned number.
UIDs from 0-99 are reserved.
Creating User Accounts
Create a user account:
# useradd �o \ # allow a duplicate UID
-u 101 \ # define the UID
-g users \ # define the primary group
-G class,training \ # define secondary groups
-c �student user� \ # define the comment field
�m �d /home/user1 \ # make a home directory for the user
�s /usr/bin/sh \ # define the default shell
-e 1/2/09 \ # define an account expiration date
-p fnnmD.DGyptLU \ # specify an encrypted password
-t /etc/default/useradd \ # specify a template
user1 # define the username
y Use useradd to create new user accounts
Interactively set a password for the new account:
# passwd user1 # interactively specify a password or�
# passwd �d user1 # set a null password
# passwd �f user1 # force a password change at first loginModule 3
3-18
The �o option allows the UID to be non-unique. This is most useful when
creating multiple user accounts with UID 0 administrator privileges.
-g group Specifies the integer group ID or character string name of an existing
group. This defines the primary group membership of the new login.
-G group Specifies a comma separated list of additional GIDs or group names. This
defines the supplemental group memberships of the new login. Multiple
groups may be specified as a comma separated list. Duplicates within the
-g and -G options are ignored.
-c comment Specifies the comment field in the /etc/passwd entry for this login.
This
can be any text string. A short description of the new login is suggested for
this field. The field may be used to record users� names, telephone
numbers, office locations, employee numbers, or other information. The
field isn�t referenced by the system.
-k skeldir Specifies the skeleton directory containing files that should be copied
to
all new user accounts. Defaults to /etc/skel. See the /etc/skel
discussion later in this chapter for more information.
-m -d dir -d specifies the new user�s home directory path. The home directory path
defaults to /home/username. With the optional �m (make) option,
useradd also creates the home directory.
-s shell Specifies the full pathname of the new user�s login shell. By default, the
system uses /sbin/sh as the login shell. /sbin/sh is a POSIX shell, but
it�s a �statically linked� executable that consumes more system resources
than the dynamically linked /usr/bin/sh shell. /sbin/sh is required
for the root account, but other accounts should use /usr/bin/sh.
-e expire Specifies the date after which this login can no longer be used. After
expire, no user will be able to access this login. Use this option to create
temporary logins. expire, which is a date, may be typed in a variety of
formats, including mm/dd/yy. See the man page for other supported
formats. This option only works on systems configured to use the
/etc/shadow file.
-f inactive Specifies the maximum number of days of continuous inactivity of the
login
before the login is declared invalid. This option is only supported on
trusted systems. To learn more about HP�s trusted system functionality,
attend HP Customer Education�s H3541S course.
-p password Specifies an encrypted password for the account. The argument passed to
�p must be a valid encrypted password, created via the crypt perl/C
function. The example below uses command substitution to execute a
perl command that encrypts password �hp� for user1. Although this
solution is convenient, beware that the command (which includes the
user�s cleartext password) will appear in the process table and in
~/.sh_history.Module 3
3-19
useradd -p $(perl -e "print crypt('hp','xx')") user1
For a description of the perl function, type perlfunc �f crypt.
For a description of the equivalent C function, type man 2 crypt.
If �p isn�t specified, useradd creates the user account, but doesn�t enable
it. Execute the passwd username command to interactively assign a
password to the new account.
-t template Specifies a template file, which establishes default options for the
command. See the user template discussion below.
/etc/default/useradd is the default template file.
username Specifies the new user�s username. The username should be between one
and eight characters in length. The first character should be alphabetic. If
the name contains more than eight characters, only the first eight are
significant.
The slide shows a complete example using many of these options.
Setting a User Password
The useradd command creates a user account, but unless the �p option was specified,
the
passwd command must be used to define a password for the new account before the
user
can login.
The administrator can either define a password for the user or set a null password:
# passwd user1 # interactively specify a password for the user or�
# passwd �d user1 # set a null password
In either case, most administrators force new users to choose a new, memorable
password
the first time they login.
# passwd �f user1 # force a password change at first login
Creating useradd Templates in /etc/default/
Administrators who manage many user accounts often configure useradd template files
in
the /etc/default/ directory. Template files establish default values for many of
the
useradd options. The useradd command consults the /etc/default/useradd
template by default, but additional templates can be created as well with different
default
parameters for different types of users. The example below creates a useradd
template that
might be used when creating user accounts for C application developers who prefer
to use
the C shell and need to belong to the developer group. The example only
demonstrates a few
options. See the useradd(1m) man page for additional options.
# useradd �D \ # update defaults for a template
-t /etc/default/useradd.cusers \ # template file location
-b /home \ # base for home directoriesModule 3
3-20
-c �C programmer� \ # comment
-g developer \ # primary group
-s /usr/bin/csh # default shell
To verify that the template was created, execute useradd with just the �D and �t
options,
or simply cat the file.
# useradd -D -t /etc/default/useradd.cusers
GROUPID 20
BASEDIR /home
SKEL /etc/skel
SHELL /usr/bin/csh
INACTIVE -1
EXPIRE
COMMENT programmer
CHOWN_HOMEDIR no
CREAT_HOMEDIR no
ALLOW_DUP_UIDS no
The example below uses the new template to create a user account. Recall that �m
creates a
home directory for the new user.
# useradd �m -t /etc/default/useradd.cusers user1
# tail -1 /etc/passwd
user1:*:101:20:programmer:/home/user1:/usr/bin/cshModule 3
3-21
3�7. SLIDE: Modifying User Accounts
Student Notes
User account settings may be modified by the administrator, or, to a lesser extent,
by users.
Modifying a User Account (Administrators)
The system administrator can change any user�s account settings via the passwd and
usermod commands.
-l username Changes the user�s username. This option doesn�t, however, change the
user�s home directory name. See the �m and -d options below.
-o -u uid -u changes the user�s User ID (UID).
Changing a user�s UID via usermod automatically changes the ownership
of the files in the user�s home directory to match the new UID. If the user
owns files in other directories, though, be sure to use the chown command
to change the ownership of those files to match the new UID.
Modifying User Accounts
Modify a user account (Administrators):
# usermod �l user01 user1 # change the user�s username
# usermod �o -u 101 user1 # change the user�s UID
# usermod -g users user1 # change the user�s primary group
# usermod -G class,training user1 # change the user�s secondary group(s)
# usermod -c �student� user1 # change the user�s comment field
# usermod �m -d /users/user01 user1 # move the user�s home directory
# usermod �s /usr/bin/ksh user1 # change the user�s default shell
# usermod �e 1/3/09 user1 # change the user�s account expiration
# usermod -p fnnmD.DGyptLU user1 # non-interactively change a password
Modify a user password (Administrators):
# passwd user1 # interactively change a password
Modify a user account or password (Users):
$ passwd # change the user�s password
$ chsh user1 /usr/bin/ksh # change the user�s shell
$ chfn user1 # change the user�s comment field
y The administrator can use usermod to modify user accounts
y Users can modify some attributes of their own accounts via passwd, chsh, and
chfnModule 3
3-22
The �o option allows the new UID to be non-unique (i.e.: allows duplicate
UIDs). This is most useful when creating multiple user accounts with UID
0 administrator privileges.
-g group Changes the user�s primary group membership.
-G group Replaces the user�s existing secondary group memberships in
/etc/group with a new list of secondary group memberships. Multiple
groups may be specified as a comma separated list.
-c comment Specifies the comment field in the /etc/passwd entry for this login.
This
can be any text string. A short description of the new login is suggested for
this field. The field may be used to record users� names, telephone
numbers, office locations, employee numbers, or other information. The
field isn�t referenced by the system.
-m -d dir -d Changes the user�s home directory path in /etc/passwd. The �m
option moves the user�s existing home directory to the new location
specified by �d. Without the �m option, the user�s home directory path is
changed in /etc/passwd, but no files are moved. If the �m option isn�t
specified, the directory following the �d must be an existing directory.
-p password Specifies an encrypted password for the account. The argument passed to
�p must be a valid encrypted password, created via crypt perl/C
function. The example below uses command substitution to execute a
perl command that encrypts password �hp� a new user1 account.
# useradd -p $(perl -e "print crypt('hp','xx')") user1
For a description of the crypt function, type perlfunc �f crypt.
For a description of the equivalent C function, type man 2 crypt.
-p is mostly used in scripts designed to modify multiple account
passwords in an automated fashion. To interactively modify a user�s
password, use the passwd command instead.
# passwd user1
Changing password for user1
New password: ******
Re-enter new password: ******
Passwd successfully changed
-s shell Specifies the full pathname of the new user�s login shell. By default, the
system uses /sbin/sh as the login shell. /sbin/sh is a POSIX shell, but
it�s a �statically linked� executable that consumes more system resources
than the dynamically linked /usr/bin/sh shell. /sbin/sh is required
for the root account, but other accounts should use /usr/bin/sh.
-e expire Specifies the date after which this login can no longer be used. After
expire, no user will be able to access this login. Use this option to createModule
3
3-23
temporary logins. expire, which is a date, may be typed in a variety of
formats, including mm/dd/yy. See the man page for other supported
formats. This option only works on systems configured to use the
/etc/shadow file.
-f inactive Specifies the maximum number of days of continuous inactivity of the
login
before the login is declared invalid. This option is only supported on
trusted systems. To learn more about HP�s trusted system functionality,
attend HP Customer Education�s H3541S course.
Modifying a User Password (Administrators)
Administrators can change any user�s password. The administrator isn�t prompted for
the
user�s existing password.
$ passwd user1
Alternatively, use the �d option to set a null password. Users with null passwords
aren�t
prompted to enter a password at login.
# passwd -d user1
In either case, consider using the �f option to force the user to personally select
a new
password at next login.
# passwd -f user1
Modifying a User Account (Users)
Users can change their own passwords via the passwd command, but must know their
current password.
$ passwd
Old password: ******
Users can modify some of their other account attributes, too, via the chsh, and
chfn
commands.
$ passwd # change the user�s password
$ chsh user1 /usr/bin/ksh # change the user�s shell
$ chfn user1 # change the user�s comment field interactivelyModule 3
3-24
3�8. SLIDE: Deactivating User Accounts
Student Notes
If a user is going on leave, or no longer needs access to the system,
deactivate/lock their
account. Deactivating an account places an �*� in the user�s password field and
prevents the
user from logging in.
# passwd �l user1
If the user returns, simply choose a new password for the user to reactivate their
account.
# passwd user1
If a user�s account has been deactivated and the user�s files will never be used by
another
user, reclaim the user�s disk space by removing their home directory.
# rm �rf /home/user1
Deactivating User Accounts
y Deactivating a user account prevents the user from logging in
y However, the user�s entry remains in the /etc/passwd file and can be reactivated
y The user�s files can be left as-is, removed, or transferred to another user
Deactivate a user account
# passwd �l user1
Reactivate a user account
# passwd user1
Remove a user�s home directory
# rm �rf /home/user1
Or� Remove the user�s files from every directory
# find / -user user1 �type f �exec rm �i +
# find / -user user1 �type d �exec rmdir +
Or� Transfer ownership to a different user
# find / -user user1 �exec chown user2 +Module 3
3-25
Some users may have files scattered across other directories as well. Use the find
command to find and remove the user�s files and directories. The �i option provides
an
opportunity to review each file before removing it.
# find / -user user1 �type d �exec rmdir �i +
Alternatively, consider reassigning the user�s files to a different user. The
example below
chowns all files owned by user1 to user2.
# find / -user user1 chown user2 +Module 3
3-26
3�9. SLIDE: Removing User Accounts
Student Notes
If you are certain that a user will never need access to your system again, you may
prefer to
remove the user�s account from the /etc/passwd file entirely.
# userdel user1
If you want to remove the user�s home directory, too, include the �r (recursive
remove)
option.
# userdel -r user1
Some users may have files scattered across other directories as well. You can use
the find
command to find and remove the user�s other files and directories.
# find / -user user1 �type d �exec rmdir �i +
Removing User Accounts
y Removing a user removes the user from /etc/passwd and /etc/group
y The user�s files can be left as-is, removed, or transferred to another user
Delete a user account, but leave the user�s files untouched
# userdel user1
Delete a user account and remove the user�s home directory
# userdel �r user1
Or� Remove the user�s files from every directory
# find / -user user1 �type d �exec rmdir +
Or� Transfer ownership to a different user
# find / -user user1 �exec chown user2 +
Find files owned by non-existent users or groups
# find / -nouser �exec ll �d +
# find / -nogroup �exec ll -d +Module 3
3-27
Alternatively, consider reassigning the user�s files to a different user.
# find / -user user1 �exec chown user2 +
Or, perhaps simply leave the files on disk as-is. If you choose this approach, the
ll
command will report the old user�s userid rather than username in the file owner
field. Use
the find command to general a list of all such �orphaned� files.
# find / -nouser �exec ll �d +
# find / -nogroup �exec ll -d +Module 3
3-28
3�10. SLIDE: Configuring Password Aging
Student Notes
Many administrators force users to change their passwords on a regular basis via
password
aging. Thus, even if a hacker were to obtain a copy of the /etc/passwd file,
passwords
gleaned from that file would only be useful for a short period of time.
Password aging may be enabled via the /usr/bin/passwd command:
# passwd -n 7 -x 70 �w 14 user1
<min> argument rounded up to nearest week
<max> argument rounded up to nearest week
<warn> argument rounded up to nearest week
The -x option defines the maximum number of days a user is allowed to retain a
password.
In the example on the slide, user1 will be forced to change his or her password
every 28 days.
The -n option defines the minimum number of days a user is required to retain a
password
after a password change. This, too, is rounded to the nearest week. In the example
on the
slide, user1 must retain each new password for a minimum of 7 days. This prevents a
user
Configuring Password Aging
Password
Change
Allowed
Password
Change
Prohibited
Password
Change
Required!
# passwd -n 7 -x 70 �w 14 user1 # enable password aging for a user
# passwd -s user1 # check a user�s password status
# passwd �sa # check the status of all users
t=0 days t=7 days t=70 days
Password
Warning
Appears
t=56 days
(requires
/etc/shadow)
Password aging forces users to change their passwords on a regular basisModule 3
3-29
from changing their password, then immediately reverting to their previously used
password
each time their password expires.
-n Sets the minimum number of days between password changes. Although this
parameter must be specified in days, passwd rounds up to the nearest week. In the
example on the slide, user1 must retain each new password for a minimum of 7 days.
This prevents a user from changing their password, then immediately reverting to
their previous password.
-x Sets the maximum number of days allowed between password changes. Although
this parameter must be specified in days, passwd rounds up to the nearest week.
-w Sets the password expiration warning period. The �w option causes the system to
display a login warning message one or more weeks before a user�s password expires.
The number of days is configurable. The �w option is only available on systems
configured to use the /etc/shadow file. And must be specified in multiples of seven
days.
You can check the password status of a user's account with the -s option.
# passwd -s user1
user1 PS 03/21/05 7 70 14
This generates a one-line summary indicating when the minimum and maximum password
aging parameters, as well as the week when the password was last changed. To view
the
aging status of all user accounts, execute:
# passwd -sa
user1 PS 03/21/05 7 70 14
user2 PS
user3 PS
Password Aging Fields in the /etc/passwd and /etc/shadow Files
On a non-shadowed system, password aging is put in effect for a particular user if
the user's
encrypted password in the passwd file is followed by a comma and a non-null string
of
characters. This string defines the age used to implement password aging. The
characters
that are used to represent digits are as follows:
Characters Number of Weeks
. ? 0
/ ? 1
0-9 ? 2-11
A-Z ? 12-37
a-z ? 38-63
The first character of the age, M, denotes the maximum number of weeks for which a
password is valid. A user who attempts to login after the password has expired is
forced to
supply a new one. The next character, m, denotes the minimum period in weeks that
must
expire before the password can be changed. The remaining characters define the
weekModule 3
3-30
(counted from the beginning of 1970) when the password was last changed (a null
string is
equivalent to zero).
If m = M = 0 the user is forced to change the password at the next log in (and the
age
disappears from the password entry). If m > M (the string ./), only a superuser
(not the user)
can change the password.
On a shadow password system, password aging information is recorded in the
/etc/shadow file rather than /etc/passwd. See the /etc/shadow slide elsewhere in
the
chapter for more information.
Although these parameters may be set manually, it's much easier to use the
/usr/bin/passwd command!Module 3
3-31
3�11. SLIDE: Configuring Password Policies
Student Notes
In order to ensure that users choose secure passwords, HP-UX supports a
configuration file
called /etc/default/security that may be used to define a variety of security
policies.
To use these policies in 11i v1, install the ShadowPassword patch bundle and
PHCO_24606.
11i v3, and the SecurityExt software bundle in 11i v2, provide support for several
additional parameters not shown on the slide. See the security(4) man page for a
complete list of policies and parameters available on your system.
MIN_PASSWORD_LENGTH=N
New passwords must contain at least N characters.
PASSWORD_MIN_UPPER_CASE_CHARS=N
New passwords must contain a minimum of N upper-case characters. In 11i v1, this
only applies if PHCO_24606 is installed.
Configuring Password Policies
MIN_PASSWORD_LENGTH=
PASSWORD_MIN_UPPER_CASE_CHARS=
PASSWORD_MIN_LOWER_CASE_CHARS=
PASSWORD_MIN_DIGIT_CHARS=
PASSWORD_MIN_SPECIAL_CHARS=
PASSWORD_MAXDAYS=
PASSWORD_MINDAYS=
PASSWORD_WARNDAYS=
y Use /etc/default/security to establish default password & security policiesModule
3
3-32
PASSWORD_MIN_LOWER_CASE_CHARS=N
New passwords must contain a minimum of N lower-case character. This only applies
if PHCO_24606 is installed.
PASSWORD_MIN_DIGIT_CHARS=N
New passwords must contain a minimum of N digit characters are required in a
password when changed. This only applies if PHCO_24606 is installed on your
system.
PASSWORD_MIN_SPECIAL_CHARS=N
Specifies that a minimum of N special characters are required in a password when
changed.
PASSWORD_MAXDAYS=N
This parameter controls the default maximum number of days that passwords are
valid. This parameter applies only to local users and does not apply to trusted
systems. The passwd -x option can be used to override this value for a specific
user.
PASSWORD_MINDAYS=N
This parameter controls the default minimum number of days before a password can
be changed. This parameter applies only to local users and does not apply to
trusted
systems. The passwd -n option can be used to override this value for a specific
user.
PASSWORD_WARNDAYS=N
This parameter controls the default number of days before password expiration that
a
user is to be warned that the password must be changed. This parameter applies only
to local users on Shadow Password systems. The passwd -w option can be used to
override this value for a specific user.Module 3
3-33
3�12. SLIDE: Managing Groups
Student Notes
Each user on an HP-UX system may belong to one or more groups. Groups may be
managed
via the groupadd/groupmod/groupdel command line utilities. Group membership may be
managed via the usermod and groups commands.
Create a new group:
# groupadd -g 200 accts
Change a group name:
# groupmod -n accounts accts
Add a list of users to a group:
# groupmod �a �l user1,user2 accounts
Replace the current list of users in a group with a new list of users:
Create a new group
# groupadd -g 200 accts
Change a group name
# groupmod -n accounts accts
Add, modify, or delete a list of users to or from a group
# groupmod �a �l user1,user2 accounts add a list of users to a group
# groupmod �m �l user3,user4 accounts replace the list of users in a group
# groupmod �a �l user3,user4 accounts delete a list of users from a group
Delete a group
# groupdel accounts
Change a specific user�s primary and secondary group membership
# usermod �g users user1
# usermod �G class,training user1
View a user�s group memberships
# groups user1
Managing Groups
y Each user can belong to one or more groups
y Groups can be managed via groupadd/groupmod/groupdel
y Group memberships can be managed via usermod and groupsModule 3
3-34
# groupmod �m �l user3,user4 accounts
Delete a list of users from a group:
# groupmod �a �l user3,user4 accounts
Delete a group:
# groupdel accountsModule 3
3-35
Change a user�s primary and secondary group membership:
# usermod �g users user1
# usermod �G class,training user1
View a user�s group memberships:
# groups user1Module 3
3-36
3�13. SLIDE: Managing /etc/skel
Student Notes
When a user logs into a UNIX system, several scripts execute to establish the
user�s shell
environment. The list below describes the scripts that execute during the POSIX and
Korn
shell login process. Login processes for other shells may vary.
1. After the user enters a username and password, the /usr/bin/login script checks
the
/etc/passwd file to verify that the user has a valid account. If the user's
username and
password are correct, the login program launches a shell for the user.
2. Next, the newly launched shell executes a script called /etc/profile.
/etc/profile is a POSIX/Korn shell script that is maintained by the system
administrator to configure a default environment for all users. The script accesses
the
/etc/PATH, /etc/MANPATH, and /etc/TIMEZONE files to set initial values for the
PATH, MANPATH, and TZ variables. The script attempts to define the TERM variable
automatically, too. Since /etc/profile executes every time any user logs in, the
administrator can modify this file to set global default environment variables for
all users
at login time.
Managing /etc/skel
/etc/skel/
.profile
.shrc
.exrc
copied
to new
accounts
.profile
.shrc
.exrc
y ~/.profile and other hidden files establish a user�s environment at login
y /etc/skel/ contains template files to be copied to every new user account
- Files can be added/modified/removed from /etc/skel as necessary
- Changes in /etc/skel don�t affect existing user accounts
/home/user1/Module 3
3-37
3. Next, the user's personal ~/.profile script executes. Each user has a .profile
script that executes at login time to define additional environment variables, or
to
override the default environment variable values that the administrator defined in
/etc/profile.
4. Finally, the shell looks for an environment variable called ENV. The ENV
variable
identifies a personal shell startup program that users may optionally choose to
configure.
POSIX shell users often create a ~/.shrc shell startup script, while Korn shell
users
typically define a ~/.kshrc shell startup script. Unlike the ~/.profile script,
which
only executes at login, the shell startup script executes every time the user logs
in, runs a
shell script, opens a terminal emulator window, or launches a shell. The POSIX and
Korn
shell startup scripts are typically used to define shell aliases.
Users can modify their personal ~/.profile and ~/.shrc scripts. The administrator
can
create a template version of these in the /etc/skel directory. useradd
automatically
copies the files found in this directory to each new user home directory.
Thus, if you wish to change the default configuration files that are copied to new
users' home
directories, simply modify the files in /etc/skel. Note that changes made in
/etc/skel
won't affect existing users' home directories. Updated files will only be copied to
new user
accounts.
Additional files can be copied into /etc/skel as well, if your applications require
configuration files in users' home directories. The /etc/skel directory on the
slide
includes a .exrc file which defines vi macros and keyboard shortcuts.
Administrators on very large systems may choose to create subdirectories under
/etc/skel
for different user account types. Then, when creating a user account, use the
useradd �k
skeldir option to specify which skeleton directory useradd should copy files from.
NOTE: There is no CDE .dtprofile script in /etc/skel. The first time a user
logs in via CDE, HP-UX attempts to copy either
/etc/dt/config/sys.dtprofile (if it exists) or
/usr/dt/config/sys.dtprofile to the user's ~/.dtprofile. Use the
following procedure to customize the default .dtprofile:
# cp �p /usr/dt/config/sys.dtprofile \
/etc/dt/config/sys.dtprofile
# vi /etc/dt/config/sys.dtprofile
Some Common Environment Variables
The .profile script establishes a user�s environment by setting environment
variables. The
table below lists some of the most commonly modified environment variables.
TERM The TERM variable defines the user's terminal type. If the TERM variable is
set
incorrectly, applications may not be able to write to the user's terminal
properly.Module 3
3-38
Valid terminal types are listed in the /usr/lib/terminfo/* directories. You
can explicitly set an appropriate TERM value using a command similar to the
following:
export TERM=vt100 # for a vt100 type terminal
export TERM=hp # for an HP ASCII terminal
export TERM=dtterm # for a dtterm terminal emulator window
More commonly, however, the TERM variable is set using the ttytype
command, which can usually automatically determine your terminal type. The
following portion of code can be included in one of the scripts that runs at login
to set your terminal type for you:
if [ "$TERM" = "" -o \
"$TERM" = "unknown" -o \
"$TERM" = "dialup" -o \
"$TERM" = "network" ]
then
eval `ttytype -s -a`
fi
export TERM
PS1 The PS1 variable defines your shell prompt string. This, too, can be changed by
the user. Some useful sample PS1 values are shown below:
export PS1='$ ' # Use a simple "$ " prompt
export PS1='$PWD $' # Include the user's pwd in the prompt
export PS1='$PWD ($LOGNAME) $' # Include the user's username ,too
LPDEST LPDEST defines the user's default printer. The printer named in LPDEST takes
precedence over the system-wide default printer configured by the system
administrator. Examples:
export LPDEST=laser # use "laser" as the default printer
export LPDEST=printera # use "printera" as the default printer
PATH Every time the user enters a command, the shell must find the executable
associated with the requested command. The PATH variable contains a ":"
separated list of directories that the shell should search for executables. If
users
need access to new applications and utilities, you may need to modify their PATH
variables. You can append a new directory to the user's PATH using syntax
similar to the following syntax:
PATH=$PATH:/usr/local/bin # adds /usr/local/bin
# to the existing PATH
The initial PATH variable value usually taken from the /etc/PATH file.
Oftentimes installing an application automatically updates the /etc/PATH file
for you, so it may not be necessary to update individual users' PATHs.Module 3
3-39
EDITOR Three variables must be defined if your users want to use command line
editing:
export EDITOR=vi
export HISTFILE=~/.sh_history
export HISTSIZE=50
EDITOR defines the user's preferred command line editor. emacs and vi are the
only allowed values. HISTFILE determines the file that should be used to log
commands entered by the user. HISTSIZE determines the number of commands
retained in the shell's command buffer.
TZ Defines the user�s time zone. Internally, UNIX records timestamps as the number
of seconds since January 1, 1970 UTC. Commands that display timestamps
(date, who, ll, etc.) display dates and times relative to the timezone specified in
the user�s TZ variable. The administrator can establish a system-wide default
value in /etc/TIMEZONE, but individual users may wish to customize the
variable to match their local time zone. See the /usr/lib/tztab file for a list
of recognized time zones. The example below establishes a TZ value appropriate
for users in Chicago.
export TZ=CST6CDT
These are just some of the more commonly defined environment variables that you can
define for your users. Other environment variables are defined in the man page for
the
POSIX shell (man 1 sh-posix), and still others may be required by your
applications.
Environment variables can be set from the command line, but are more commonly
defined in
the login configuration files, which will be covered later in this chapter. You can
view a list
of currently defined environment variables by executing the env command:
# envModule 3
3-40
3�14. LAB: Managing User Accounts
Directions
Perform the following tasks. Record the commands you use, and answer all questions.
The
password for user accounts user1-24 is class1.
Part 1: Creating and Modifying Users and Groups
1. Use the useradd command to create a user account for user25 on your system.
Include the option to create a home directory for the user, and use /usr/bin/sh as
the
user�s startup shell. Accept defaults for the other options.
2. Do you see an entry for the new user in the /etc/passwd file?
Do you see an entry for the new user in the /etc/group file? Explain.
3. Can the user login at this point?
4. Choose and set a password for the new user.
5. Force the user to choose a new password the first time they login.Module 3
3-41
6. Login as user25 to verify that the new account works. What happens?
7. Return to the root account.
8. Oops! We forgot to define the comment field for user25. Set user25�s comment
field
to �student account�.
9. user25 needs to collaborate with user24 on a project. Create a group called
project, and ensure that user24 and user25 both have access to the group.
10. Create a /home/project directory that user24 and user25 can use to store and
manage files associated with their project. Ensure that the administrator and
members of
the project group are the only users who can access the shared directory.
# mkdir /home/project
# chown root:project /home/project
# chmod 770 /home/project
11. Verify that user24 and user25 have access to the group, and that other users
don�t.
# su user23 �c �touch /home/project/f23� # should fail!
# su user24 �c �touch /home/project/f24� # should succeed!
# su user25 �c �touch /home/project/f25� # should succeed!Module 3
3-42
Part 2: Deactivating and Removing User Accounts
1. Deactivate user24's account.
2. Remove user25�s account without removing user25�s home directory.
3. What changed in the /etc/passwd file because of the commands in the previous two
questions?
4. What happens now when user24 and user25 attempt to log in? telnet to your local
host, and try to login using both usernames. What happens?
# telnet localhost
5. What happened to the users� home directories? Do a long listing of /home. Can
you
explain what you see?
# ll �d /home/user24 /home/user25
6. Re-enable user24's account. Choose a new password as you wish.Module 3
3-43
Part 3: Implementing Shadow Passwords and Password Aging
1. Run pwconv to create the /etc/shadow file. You may see a warning noting that
shadow passwords are incompatible with NIS. Since we�re not using NIS, ignore the
message.
a. What is in the password field in /etc/passwd now?
b. What fields are populated in /etc/shadow?
c. What are the permissions on /etc/shadow? Why is this significant?
2. Enable shadow password aging on the user1 account.
a. Ensure that the password is changed at least twice per year.
b. Ensure that users wait at least one week between password changes.
c. Provide a one-week warning before the user�s password expires.
3. Apply the same password aging parameters to all users by modifying the
appropriate
variables in /etc/default/security. Also require users to choose passwords that
are at least eight characters.
4. Before you continue on to the next part, revert to a non-shadowed password
file.Module 3
3-44
Part 4: (Optional) Automating User Account Creation
Pretend for a moment that you are a system administrator at a large university.
Fifty
students have just enrolled to start classes, and you need to create user accounts
for
them. Can you write a simple shell script to automatically create the user
accounts?
Initially, you can assign the students null passwords, but force them to change
their
passwords after their first successful login. Assign /usr/bin/sh as the users�
startup
shell.
Hint: Try running the sample shell script below. What must be changed in the shell
script
to automatically create the desired accounts?
#!/usr/bin/sh
n=1
while ((n<=50))
do
echo stud$n
((n=n+1))
doneModule 3
3-45
Part 5: (Optional) Managing Users and Groups via the SMH
If time permits, explore the Accounts for Users and Groups functional area in the
SMH:
# smh -> Accounts for Users and Groups or...
# ugweb
A similar Accounts for Users and Groups functional area exists in sam in earlier
versions of HP-UX.Module 3
3-46
3�15. LAB SOLUTIONS: Managing User Accounts
Perform the following tasks. Record the commands you use, and answer all questions.
The
password for user accounts user1-24 is class1.
Part 1: Creating and Modifying Users and Groups
1. Use the useradd command to create a user account for user25 on your system.
Include the option to create a home directory for the user, and use /usr/bin/sh as
the
user�s startup shell. Accept defaults for the other options.
Answer:
# useradd �m �s /usr/bin/sh user25
2. Do you see an entry for the new user in the /etc/passwd file?
Do you see an entry for the new user in the /etc/group file? Explain.
Answer:
There should be an entry in the /etc/passwd file for the new user. However, the
user
isn�t listed in /etc/group. A user's primary group membership is recorded in the
/etc/passwd GID field; /etc/group only records secondary group memberships.
3. Can the user login at this point?
Answer:
The user can�t login at this point since the user�s password hasn�t been defined
yet.
4. Choose and set a password for the new user.
Answer:
# passwd user25
5. Force the user to choose a new password the first time they login.
Answer:
# passwd �f user25
6. Login as user25 to verify that the new account works. What happens?
# login
Answer:
The system should have required a password change for user25.Module 3
3-47
7. Return to the root account.
Answer:
$ exit
Log back in again as root.
8. Oops! We forgot to define the comment field for user25. Set user25�s comment
field
to �student account�.
Answer:
# usermod �c �student account� user25
9. user25 needs to collaborate with user24 on a project. Create a group called
project, and ensure that user24 and user25 both have access to the group.
Answer:
# groupadd project
# usermod -G project user24
# usermod -G project user25
10. Create a /home/project directory that user24 and user25 can use to store and
manage files associated with their project. Ensure that the administrator and
members of
the project group are the only users who can access the shared directory.
# mkdir /home/project
# chown root:project /home/project
# chmod 770 /home/project
11. Verify that user24 and user25 have access to the group, and that other users
don�t.
# su user23 �c �touch /home/project/f23� # should fail!
# su user24 �c �touch /home/project/f24� # should succeed!
# su user25 �c �touch /home/project/f25� # should succeed!Module 3
3-48
Part 2: Deactivating and Removing User Accounts
1. Deactivate user24's account.
Answer:
# passwd -l user24
Now try to log in as user user24. It should fail.
2. Remove user25�s account without removing user25�s home directory.
Answer:
# userdel user25
3. What changed in the /etc/passwd file because of the commands in the previous two
questions?
Answer:
user24's password field is set to "*" to indicate that the account is disabled.
user25's /etc/passwd entry disappeared entirely.
4. What happens now when user24 and user25 attempt to log in? telnet to your local
host, and try to login using both usernames. What happens?
# telnet localhost
Answer:
Both login attempts should fail.
5. What happened to the users� home directories? Do a long listing of /home. Can
you
explain what you see?
# ll �d /home/user24 /home/user25
Answer:
Both directories are still there, but the owner field for user25's directory lists
a number
rather than user25's username. Internally, HP-UX identifies file ownership by UID
rather than username. ll attempts to resolve these UIDs into usernames. However,
since user25 is no longer listed in /etc/passwd, the ll command has no way of
determining which username is associated with the /home/user25 directory.Module 3
3-49
6. Re-enable user24's account. Choose a new password as you wish.
Answer:
# passwd user24Module 3
3-50
Part 3: Implementing Shadow Passwords and Password Aging
1. Run pwconv to create the /etc/shadow file. You may see a warning noting that
shadow passwords are incompatible with NIS. Since we�re not using NIS, ignore the
message.
a. What is in the password field in /etc/passwd now?
b. What fields are populated in /etc/shadow?
c. What are the permissions on /etc/shadow? Why is this significant?
Answer:
The password fields in /etc/passwd should contain x�s.
Each /etc/shadow entry should contain a user name, an encrypted password, and a
timestamp field that indicates when the password was last changed. The other fields
should be empty.
The permissions on /etc/shadow should be r--------, so hackers can�t view user
password information.
2. Enable shadow password aging on the user1 account.
a. Ensure that the password is changed at least twice per year.
b. Ensure that users wait at least one week between password changes.
c. Provide a one-week warning before the user�s password expires.
Answer:
# passwd �x 180 �n 7 �w 7 user1Module 3
3-51
3. Apply the same password aging parameters to all users by modifying the
appropriate
variables in /etc/default/security. Also require users to choose passwords that
are at least eight characters.
Answer:
MIN_PASSWORD_LENGTH=8
PASSWORD_MAXDAYS=180
PASSWORD_MINDAYS=7
PASSWORD_WARNDAYS=7
The file is read-only by default, so a :w! followed by :q is needed if vi(1m)
editor is
used.
4. Before you continue on to the next part, revert to a non-shadowed password file.
Answer:
# pwunconvModule 3
3-52
Part 4: (Optional) Automating User Account Creation
1. Pretend for a moment that you are a system administrator at a large university.
Fifty
students have just enrolled to start classes, and you need to create user accounts
for
them. Can you write a simple shell script to automatically create the user
accounts?
Initially, you can assign the students null passwords, but force them to change
their
passwords after their first successful login. Assign /usr/bin/sh as the users�
startup
shell.
Answer:
Create a Shell script useradd_stud_accts.sh
#!/usr/bin/sh
n=1
while ((n<=50))
do
echo stud$n
useradd �m �s /usr/bin/sh stud$n
passwd �d �f stud$n
((n=n+1))
done
Make script executable and run:
# chmod +x useradd_stud_accts.sh
# ./useradd_stud_accts.sh
To clean up the accounts, create script userdel_stud_accts.sh.
#!/usr/bin/sh
n=1
while ((n<=50))
do
echo stud$n
userdel stud$n
rm -rf /home/stud$n
((n=n+1))
doneModule 3
3-53
Part 5: (Optional) Managing Users and Groups via the SMH
If time permits, explore the Accounts for Users and Groups functional area in the
SMH.
From the Home Page, click "System Configuration." From the System Configuration
Window,
click "Accounts for Users and Groups".
When this exercise is complete, Sign out of the SMH utility and close the browser
window.
A similar Accounts for Users and Groups functional area exists in sam in earlier
versions of HP-UX.Module 3
4-1
Module 4 ? Navigating the HP-UX File System
Objectives
� Describe the reasons for separating dynamic and static file systems.
� Describe the key contents of /sbin, /usr, /stand, /etc, /dev, /var (OS-related
directories).
� Describe the key contents of /opt, /etc/opt, and /var/opt (application-related
directories).
� Use find, whereis, and which to find files in the HP-UX file system.Module 4
4-2
4�1. SLIDE: Introducing the File System Paradigm
Student Notes
Many HP-UX system administration tasks require the administrator to find and
manipulate
system and application configuration and log files. Understanding the philosophy
behind the
organization of the file system will ensure that you can successfully find the
resources you
need to perform administration tasks.
Files in the HP-UX file system are organized by various categories. Static files
are separated
from dynamic files. Executable files are separated from configuration files. This
philosophy
provides a logical structure for the file system and simplifies administration as
well.
HP-UX Separates Static and Dynamic Portions of the File System
Files and directories in HP-UX may be categorized as static or dynamic. The
contents of
static files and directories rarely change, except when patching or installing the
operating
system or applications. Executable files, libraries, and system start-up utilities
are all
considered to be static.
Dynamic files and directories change frequently. They are stored in a separate
portion of the
file system. Configuration, temporary, and user files are all considered to be
dynamic.
Introducing the File System Paradigm
Static Files
Dynamic Files
Executables
Libraries
System startup
Configuration
Temporary
User
OS
Application
OS
Application
OS
Application
OS
ApplicationModule 4
4-3
Separating dynamic and static data offers the following advantages:
� System backups are easier.
� Disk space management is simplified.
HP-UX Separates Executable Files from Configuration Files
Configuration data is kept separate from the executable code that uses that data.
Separating
executable files from configuration files offers the following advantages:
� Changes made to configuration data are not lost when updating the operating
system.
� Executable files can be easily shared across the network, while host-specific
configuration data is stored locally on each host.
HP-UX Follows the AT&T SVR4 Standard File System Layout
Though there are minor differences from vendor to vendor, the file system layout
used in
HP-UX is very similar to that used in other flavors of UNIX. This simplifies
administration
tasks for administrators with responsibilities on multiple vendors' machines.Module
4
4-4
4�2. SLIDE: System Directories
Student Notes
The shaded directories in the diagram on the slide contain static data, while
unshaded
directories in the diagram contain dynamic data. The sharable portion of the
operating
system is located beneath /usr and /sbin. Only the operating system can install
files into
these directories. Applications are located beneath /opt.
The directories /usr, /sbin, and the application subdirectories below /opt can be
shared
among networked hosts. Therefore, they must not contain host-specific information.
The
host-specific information is located in directories in the dynamic area of the file
system.
General definitions for these directories are:
Directory Definition
/usr Sharable operating system commands, libraries, and documentation.
/sbin Minimum commands needed to boot the system and mount other file systems.
System Directories
/ (root)
/opt
App1 App2
/usr
/sbin
/home
/etc
/stand
/tmp
/dev /mnt
/var
DYNAMIC FILES
STATIC FILESModule 4
4-5
/opt Applications.
/etc System configuration files. No longer contains executable files
/dev Device files
/var Dynamic information such as logs and spooler files (previously in /usr).
/mnt Local mounts
/tmp Operating system temporary files
/stand Kernel and boot loader
/home User directories
A Closer Look at /usr
The /usr directory contains the bulk of the operating system, including commands,
libraries
and documentation. The /usr file system contains operating system files, such as
executable
files and ASCII documentation.
The allowed subdirectories in /usr are defined below; no additional subdirectories
should
be created.
Examples of files that live here are
/usr/bin Operating system user commands.
/usr/conf Kernel configuration.
/usr/contrib Unsupported contributed software.
/usr/lbin Back-ends to other commands
/usr/local User-contributed software.
/usr/newconfig Default operating system configuration data files.
/usr/sbin System administration commands.
/usr/share Architecture independent sharable files.
/usr/share/man Operating system man pages.
/usr/share/doc Release notes.Module 4
4-6
A Closer Look at /var
The /var directory is for multipurpose log, temporary, transient, variable sized,
and spool
files. The /var directory is extremely variable in size, hence the name. In
general, any files
that an application or command creates at runtime, and that are not critical to the
operation
of the system, should be placed in a directory that resides under /var. For
example,
/var/adm will contain log files and other runtime-created files related to system
administration. /var will also contain variable size files like crontabs, and print
and mail
spooling areas.
In general, files beneath /var are somewhat temporary. System administrators that
wish to
free up disk space are likely to search the /var hierarchy for files that can be
purged. Some
sites may choose not to make automatic backups of the /var directories.
Examples of files that reside here are
/var/adm Common administrative files and log files.
/var/adm/crash Kernel crash dumps.
/var/mail Incoming mail.
/var/opt/ Application-specific runtime files (e.g. logs, temporary files). Each
application will have its own directory.
/var/spool Spooled files used by subsystems such as lp, cron, software
distributor.
/var/tmp Temporary files generated by commands in the /usr hierarchy
A Closer Look at /var/adm
This directory hierarchy is used for common administrative files, logs, and
databases. For
example, files generated by syslog(3C), files used by cron(1M), and kernel crash
dumps will
be kept here and in subdirectories.
Examples of files that reside here are
/var/adm/crash Kernel crash dumps will be located in this directory.
/var/adm/cron Used for log files maintained by cron. cron is a subsystem that
allows you to schedule processes to run at a specific time or at
regular intervals.
/var/adm/sw Used for log files maintained by the Software Distributor.Module 4
4-7
/var/adm/syslog System log files. Applications as well as the kernel can log
messages here. The syslogd daemon is responsible for writing
the log messages. The behavior of the syslogd daemon can be
customized with the/etc/syslog.conf file. The name of the
default log file is /var/adm/syslog/syslog.log. At boot
time this file is copied to OLDsyslog.log, and a new
syslog.log is started. The syslog.log file is an ASCII file.
/var/adm/sulog This file contains a history of all invocations of the switch user
command. sulog is an ASCII log file.
/var/adm/wtmp On an 11i v1 system, this file contains a history of successful
logins. This file is not ASCII. The last command is used to
display this information. The wtmp file will continue to grow and
should be trimmed by the administrator from time to time.
/var/adm/btmp On an 11i v1 system, this file contains a history of unsuccessful
logins. This file is not ASCII. The lastb command is used to
display this information. The btmp file will continue to grow and
/etc/utmp On an 11i v1 system, this file contains a record of all users logged
onto the system. This file is used by commands such as write
and who. This file is not an ASCII file and can not be directly
viewed.
/var/adm/wtmps On an 11i v2 system, this file contains a history of successful
logins. This file is not ASCII. The last command is used to
display this information. The wtmps file will continue to grow and
/var/adm/btmps On an 11i v2 system, this file contains a history of unsuccessful
logins. This file is not ASCII. The lastb command is used to
display this information. The btmps file will continue to grow and
/etc/utmps On an 11i v2 system, this file contains a record of all users logged
onto the system. This file is used by commands such as write
and who. This file is not an ASCII file and can not be directly
viewed.Module 4
4-8
4�3. SLIDE: Application Directories
Student Notes
Each application will have its own subdirectory under /opt, /etc/opt, and /var/opt.
The sharable, or static, part of the application is self-contained in its own
/opt/application directory, which has the same hierarchy as the operating system
layout:
/opt/application/bin User commands.
/opt/application/share/man man pages.
/opt/application/lib Libraries.
/opt/application/lbin Back end commands.
/opt/application/newconfig Master copies of configuration files.
The application's host-specific log files are located under /var/opt/application,
and
host-specific configuration files are located under /etc/opt/application.
Application Directories
Static
bin
lbin lib share newconfig
Dynamic
/etc/opt/<appl>
/var/opt/<appl>
(Looks like /usr)
/opt/<application>/Module 4
4-9
4�4. SLIDE: Commands to Help You Navigate
Student Notes
As a system administrator, you will need to reference files in directories all over
the HP-UX
file system. HP-UX offers several tools for finding the files and executable files
you need to
perform administration tasks.
The find Command
The find command is a powerful tool for system administrators. It searches the file
hierarchy starting at a specified point and finds files that match the criteria you
select. You
can search for files by name, owner, size, modification time, and so on. find also
allows you
to execute a command with the files found used as an argument.
Examples
� Find all files belonging to the user greg:
# find / -user greg
� Find files in /tmp that have not been accessed in 7 days:
Commands to Help You Navigate
find Searches the file hierarchy
whereis Locates source, binaries, and man pages
which Locates an executable in your PATH
file Determines file type
strings Displays ASCII characters in binary filesModule 4
4-10
# find /tmp -type f -atime +7
� Remove core files:
# find / -name core -exec rm �i {} \;
The whereis Command
The whereis command is useful when you receive "not found" error messages. It
searches a
predefined list of directories. By default, whereis looks for source, binaries, and
man pages.
You can limit the search to binary files by using the -b option.
Example
# whereis -b sam
sam: /usr/sbin/sam
The which Command
The which command is useful for determining which version of a command will be
used.
Some commands have multiple homes. Which version you execute is determined by the
order of the directories in your PATH variable.
The file Command
The file command performs a series of tests on a file and attempts to classify it.
It can be
useful for determining if a command is a shell script or a binary executable.
Examples
# file /sbin/shutdown
/sbin/shutdown: s800 shared executable
# file /etc/passwd
/etc/passwd: ascii text
The strings Command
The strings command is useful when trying to find information in a binary file. It
will print
any printable characters in the file.Module 4
4-11
4�5. LAB: HP-UX File System Hierarchy
Directions
Answer all the questions below.
1. Which of the following directories are dynamic?
/etc
/usr
/sbin
/dev
/tmp
2. Viewing a report on your disk space usage, you note that /usr, /var, and /opt
are all
nearing 90% capacity. Which of these directories should you be most concerned
about?
Why?
3. Match the directory with its contents:
1. /usr/share/man A. kernel, boot loader
2. /stand B. system configuration files
3. /var/adm C. shareable operating system commands
4. /etc D. man pages
5. /usr E. application directories
6. /opt F. common admin files and logs
4. Where would you expect to find the cp and rm OS user executables? See if you are
correct.
5. Where would you expect to find the smh, useradd, and userdel executables? See if
you are correct.Module 4
4-12
6. The pre_init_rc utility executes in the early stages of the system start-up
procedure to
check for file system corruption. Where would you expect to find this executable?
See if
you are correct.
7. There is a system log file that maintains a record of system shutdowns. Where
would you
expect to find the shutdown log file? See if you are correct.
8. In which directory would you expect to find the "hosts" configuration file,
which contains
network host names and addresses? See if you are correct.
9. Though many utilities and daemons maintain independent log files, many daemons
and
services write their errors and other messages to a log file called syslog.log. See
if
you can find the path for this file, then check to see if any messages have been
written to
the file in the last day.
10. Find all of the directories (if any) under /home that are owned by root.
11. (Optional) Find all the files under /tmp that haven't been accessed within the
last day.
12. (Optional) Find all the files on your system that are greater than 10000 bytes
in size. If
you needed to make some disk space available on your system, would it be safe to
simply
remove these large files?Module 4
4-13
4�6. LAB SOLUTIONS: HP-UX File System Hierarchy
Directions
Answer all the questions below.
1. Which of the following directories are dynamic?
/etc
/usr
/sbin
/dev
/tmp
Answer:
/etc
/dev
/tmp
2. Viewing a report on your disk space usage, you note that /usr, /var, and /opt
are all
nearing 90% capacity. Which of these directories should you be most concerned
about?
Why?
Answer:
/var deserves the most attention here because it is a dynamic file system that
could
grow quite quickly in case of an error condition that creates entries in the system
log files.
/usr and /opt are static file systems that are less likely to cause problems.
3. Match the directory with its contents:
1. /usr/share/man A. kernel, boot loader
2. /stand B. system configuration files
3. /var/adm C. shareable operating system commands
4. /etc D. man pages
5. /usr E. application directories
6. /opt F. common admin files and logsModule 4
4-14
Answer:
1. /usr/share/man D. man pages
2. /stand A. kernel, boot loader
3. /var/adm F. common admin files and logs
4. /etc B. system configuration files
5. /usr C. shareable operating system commands
6. /opt E. application directories
4. Where would you expect to find the cp and rm OS user executables? See if you are
correct.
Answer:
Both are in /usr/bin, along with all the other user executables.
5. Where would you expect to find the smh, useradd, and userdel executables? See if
you are correct.
Answer:
All three are in /usr/sbin along with many other administrative utilities.
6. The pre_init_rc utility executes in the early stages of the system start-up
procedure to
check for file system corruption. Where would you expect to find this executable?
See if
you are correct.
Answer:
pre_init_rc is in the /sbin directory, along with other files used during the boot
process.
7. There is a system log file that maintains a record of system shutdowns. Where
would you
expect to find the shutdown log file? See if you are correct.
Answer:
The full path name is /etc/shutdownlog (/var/adm/shutdownlog is a symbolic
link).
Most OS log files are kept in /var/adm.
8. In which directory would you expect to find the "hosts" configuration file,
which contains
network host names and addresses? See if you are correct.
Answer:
The path name for the hosts file is /etc/hosts.Module 4
4-15
9. Though many utilities and daemons maintain independent log files, many daemons
and
services write their errors and other messages to a log file called syslog.log. See
if
you can find the path for this file, then check to see if any messages have been
written to
the file in the last day.
Answer:
# more /var/adm/syslog/syslog.log
10. Find all of the directories (if any) under /home that are owned by root.
Answer:
# find /home -user root
11. (Optional) Find all the files under /tmp that haven't been accessed within the
last day.
Answer:
# find /tmp -atime +1 �type f
12. (Optional) Find all the files on your system that are greater than 10000 bytes
in size. If
you needed to make some disk space available on your system, would it be safe to
simply
remove these large files?
Answer:
# find / -size +10000c �type f
Before removing these files, be sure to investigate the files� purpose.Module 4
5-1
Module 5 � Configuring Hardware
Objectives
� Describe the major hardware components of an HP-UX system
� Describe the high-level features of HP�s current Integrity server products
� Describe the components of HP-UX legacy and Agile View hardware paths
� Describe the features of HP�s nPar, vPar, VM, and Secure Resource Partitions
� View a system�s hardware model and configuration with machinfo and model
� View a system�s peripheral devices and buses with ioscan and scsimgr
� View slots and interface cards with rad and olrad
� Add and replace interface cards with and without HP OL* functionality
� Add and remove pluggable and non-hot-pluggable devicesModule 5
Configuring Hardware
5-2
5�1. SLIDE: Hardware Components
Student Notes
Every recent HP-UX system has several hardware components:
� One or more PA-RISC or Itanium single-, dual-, or quad-core CPUs for processing
data.
� One or more Cell Boards or Blades hosting CPU and memory.
� One or more System/Local Bus Adapters that provide connectivity to expansion
buses.
� One or more PCI I/O expansion buses with slots for add-on Host Bus Adapters.
� One or more Host Bus Adapter cards for connecting peripheral devices.
� One or more Core I/O cards with built-in LAN, console, and boot disk
connectivity.
� An Integrated Lights Out / Management Processor (iLO/MP) card to provide local
and
remote console access and system management functionality.
The slides that follow describe these components in detail.
Hardware Components
HP-UX systems have several hardware components:
� One or more Itanium single-, dual-, or quad-core CPUs for processing data
� One or more Cell Boards or Blades hosting CPU and memory
� One or more System/Local Bus Adapters that provide connectivity to expansion
buses
� One or more PCI I/O expansion buses with slots for add-on Host Bus Adapters
� One or more Host Bus Adapter cards for connecting peripheral devices
� One or more Core I/O cards with built-in LAN, console, and boot disk connectivity
� An iLO / Management Processor to provide console access and system management
SAN
LUN
LUN
LUN
CPUs SBA
Memory
Blade Link / Crossbar
LBA
LBA PCI-X Bus FC HBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or BladesModule 5
5-3
5�2. SLIDE: CPUs
Student Notes
HP�s HP-UX systems utilize two different processor families.
The Itanium Processor Family (IPF�)
All of HP�s current HP-UX servers utilize Intel Itanium Processor Family (IPF)
processors
developed by Intel. All HP servers that utilize the IPF processors carry the �HP
Integrity�
brand name.
The Itanium 2 architecture uses a variety of techniques to increase parallelism �
the ability
to execute multiple instructions during each machine cycle. Parallelism improves
performance because it allows multiple instructions to be executed simultaneously.
The
Itanium 2 architecture is designed to make certain the processor can execute as
many
instructions per cycle as possible.
A key to the high performance of the IPF processors is the design philosophy at the
heart of
the processor, Explicitly Parallel Instruction Computing (EPIC). The
� IPF is a registered trademark of the Intel Corporation
CPUs
� HP�s current �Integrity� servers use Intel�s 64-bit EPIC architecture Itanium 2
processors
� HP�s older �hp9000� servers used HP�s proprietary 64-bit PARISC processors
� HP provides binary compatibility across processor types and generations
SAN
LUN
LUN
LUN
CPUs SBA
Memory
Cell Boards
or Blades
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
iLO / MP LAN
PCI-X Bus
Current Itanium 2 Processors Clock Speeds
Intel� Itanium� Quad-Core 9300 Series �Tukwila� Processor 1.3GHz, 1.6GHz, 1.7
Intel� Itanium� Dual-Core 9200 Series �Montvale� Processor 1.4GHz or 1.6GHz GHz
Intel� Itanium� Dual-Core 9100 Series �Montecito� Processor 1.4GHz or 1.6GHzModule
5
5-4
EPIC philosophy is a major reason why Itanium 2 processors are different from other
64-bit
processors, providing much higher instruction-level parallelism without
unacceptable
increases in hardware complexity. EPIC achieves such performance by placing the
burden of
finding parallelism squarely on the compiler. Although processor hardware can
extract a
limited sort of parallelism, the best approach is to let the compiler, which can
see the whole
code stream, find the parallelism and make global optimizations. The compiler
communicates this parallelism explicitly to the processor hardware by creating a
threeinstruction bundle with directions on how the instructions should be executed.
The hardware
focuses almost entirely on executing the code as quickly as possible.
The EPIC architecture, together with several other architecture innovations, gives
the IPF
processors a significant advantage over both IA32 and 64-bit RISC systems. As co-
developer
of the Itanium 2 architecture, HP has been able to take the lead in bringing
production-ready
Itanium 2 based servers to market.
As shown on the slide, Intel has already released several generations of Itanium 2
processors.
The latest generation of Itanium processors, the 9300 series �Tukwila� processor
series
features four processor cores on a single chip die, which increases computing
density and
delivers significant performance gains over earlier single- and dual-core
processors. HP�s
newest systems utilize the 9300 series processor chips. Older models utilize the
dual-core
9100 and 9200 series Itanium processors.
These multi-core processors are further enhanced by increasing the on-chip cache
sizes in
each successive processor generation.
The PA-RISC Processor Family
Earlier model HP-UX systems utilized HP�s proprietary Precision Architecture RISC
(PARISC) processors. All recent HP servers that utilized PA-RISC carried the �HP
9000� brand
name.
PA-RISC used Reduced Instruction Set Computing (RISC) principles to provide high
performance, and high reliability. HP offered several iterations of its PA-RISC
technology
over the years. The early PA7000 series of chips used a 32-bit architecture, while
the newer
PA8000 series chips used a 64-bit architecture.
HP�s PA8800 and PA8900 processors are dual-core processors. A single PA8800 or
PA8900
processor may contain one or two PARISC processor �cores�, thus allowing twice as
many
processors in a single system as was previously possible. The hp9000 Superdome
supported
up to 64 processor modules, a total of up to 128 PA8900 processor cores.
The PA8900 processor was the last processor in the PA-RISC family. HP stopped
selling PARISC servers at the end of 2008, but will support PA-RISC at least
through 2013.
PA-RISC / Integrity Application Compatibility
Compatibility is an important feature that HP has always recognized and that HP
customers
have come to expect.
For user space applications that utilize published APIs, HP:
� Maintains forward data, source, build environment, and binary compatibility
across
all hardware platforms of the same architecture family (e.g. Intel � Itanium � or
PAModule 5
5-5
RISC) which are supported by the same version of HP-UX;
� Provides forward data, source, build environment, and binary compatibility across
HP-UX release versions and updates on HP 9000 servers and Integrity servers on
their
respective architectures. This is true for 32-bit or 64-bit applications on either
architecture family;
� Delivers new features and improved performance with each new HP-UX release.
Binary compatibility across operating system releases applies to legacy features
(features that were present in the earlier release). There are some instances,
however,
where applications may be required to recompile in order to use or leverage a new
feature.
See the HP-UX release notes for information on new features that may require
changes to
applications.
NOTE: This binary compatibility does not apply to kernel-intrusive
applications or applications that rely on proprietary data structures
inside HP-UX.
Although most �well-behaved� PA-RISC binaries execute successfully on an Integrity
system,
the performance of a PA-RISC application running in compatibility mode may be less
than
that of the same application recompiled and running in native mode. PA-RISC
applications
that are largely interactive or I/O intensive should experience little to no
noticeable
degradation in performance, while those that perform heavy computation may run
noticeably
slower on an Integrity system than on a recent PA-RISC system. HP recommends
recompilation for all applications and libraries where performance is a concern.
Additionally, there is complete data compatibility between the HP-UX 11i releases
for PARISC and Itanium-based systems. No data conversion is required when
transferring data
between releases of HP-UX 11i on PA-RISC and Integrity servers.
For a more complete discussion of HP-UX compatibility, see the �HP-UX 11i
compatibility for
HP Integrity and HP 9000 servers� white paper at
http://www.hp.com/go/hpux11icompatibility.
HP Integrity servers with Intel Itanium 2 processors offer the best HP-UX
performance,
scalability, and investment protection available. HP encourages current PA-RISC
customers
to consider upgrading their systems to Itanium. Consult your sales representative
for details.
Determining your Processor Type
On 11i v1 and v2 systems, you can determine your processor type via the SAM system
properties screen.
# sam -> Performance Monitors -> System Properties -> Processor
On Integrity systems, you can determine your processor type and configuration via
the
machinfo command.
# machinfo
CPU info:Module 5
5-6
2 Intel(R) Itanium(R) Processor 9340s (1.6 GHz, 20 MB)
4.79 GT/s QPI, CPU version E0
8 logical processors (4 per socket)
Memory: 32670 MB (31.9 GB)
Firmware info:
Firmware revision: 01.02
FP SWA driver revision: 1.18
IPMI is supported on this system.
BMC firmware revision: 1.00
Platform info:
Model: "ia64 hp Integrity BL860c i2"
Machine ID number: 669ab3af-3d4c-11df-abc1-1a4b5386cd07
Machine serial number: USE008XX06
OS info:
Nodename: bl860-1
Release: HP-UX B.11.31
Version: U (unlimited-user license)
Machine: ia64
ID Number: 1721414575
vmunix _release_version:
@(#) $Revision: vmunix: B.11.31_LR FLAVOR=perf
For More Information
For more information on HP�s Itanium strategy, visit our IPF home page at
http://www.hp.com/go/itanium/.
To learn more about HP�s PA-RISC to Integrity migration program, visit
http://www.hp.com/go/hp9000.Module 5
5-7
5�3. SLIDE: Cell Boards, Blades, Crossbars, and Blade
Links
Student Notes
On HP�s mid-range and high-end servers, and on newer blade servers, each system is
comprised of one or more cell boards or blades. Each cell board or blade contains a
portion
of the system�s memory and CPU resources.
All of the system�s cell boards or blades are interconnected via a low latency
�crossbar� (on
mid-range and high end servers) or blade link (on the blade servers).
HP�s crossbar and blade link technologies ensure that any processor core on a
system can
access resources on any other blade or cell board on that same system.
Cell Boards, Blades, Crossbars, and Blade Links
On HP�s mid-range and high-end servers, and on newer blade servers �
� Each system is comprised of one or more cell boards or blades
� Each cell board or blade contains a portion of the system�s memory and CPU
resources
� All cell boards or blades are interconnected via a low latency crossbar or blade
link
� Result: Any processor core can access resources on any blade or cell board
SAN
LUN
LUN
LUN
CPUs SBA
Memory
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or BladesModule 5
5-8
The diagram below shows the blade link used to interconnect foundation blades in
HP�s
newer Integrity blade servers:
The diagram below shows the HP sx2000 crossbar technology used to interconnect cell
boards in HP�s cell-based midrange and high-end Superdome servers:Module 5
5-9
The diagram below shows the HP sx3000 crossbar technology used to interconnect
Superdome 2 blades on the new Superdome 2 server:Module 5
5-10
5�4. SLIDE: SBAs, LBAs, and PCI Expansion Buses
Student Notes
Every cell, system board, or blade has a System Bus Adapter (SBA) that provides
connectivity between the system�s processors and the I/O expansion buses.
The SBA connects to one or more Local Bus Adapters (LBAs) on the system�s I/O
backplane
via a high-speed communications channel known as a �rope�. Some LBAs have a single
rope
connection to the SBA. Other LBAs utilize two ropes to the SBA for greater
bandwidth.
Each LBA provides an I/O bus to support one or more interface adapters or Host Bus
Adapters (HBAs).
PCI, PCI-X, and PCI-Express Expansion Buses
HP�s current servers utilize Peripheral Component Interconnect (PCI)-based I/O
buses. PCI
is a bus architecture that provides high-speed connectivity to and between
interface adapters.
PCI was developed by Intel, but has become an industry standard that is used on
many
platforms.
SBAs, LBAs, and I/O Expansion Buses
� System and Local Bus Adapters provide connectivity to I/O expansion buses
� I/O expansion buses provide one or more slots for device adapter cards
� HP supports PCI, PCI-X, and PCI-E bus types, and slot speeds up to ~2GB/sec
� HP OL* functionality on some servers facilitates adding/removing cards online
� Dedicated buses minimize downtime and maximize performance
SAN
LUN
LUN
LUN
CPUs SBA
Memory
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or BladesModule 5
5-11
Since it was first introduced, the PCI standard has been enhanced several times to
accommodate the greater bandwidth and shorter response times demanded from the
input/output (I/O) subsystems of enterprise computers. The table below lists the
PCI bus
types available on recent Integrity servers.
Slot Type Bus Width Bus Frequency Bandwidth
PCI 32 bits 33.3 MHz 133 MB/s
PCI 2x / Turbo 64 bits 33.3 MHz 266 MB/s
PCI-X 66 64 bits 66.6 MHz 0.5 GB/s
PCI-X 133 64 bits 133 MHz 1.1 GB/s
PCI-X 266 64 bits 266 MHz 2.1 GB/s
PCI-Express 64 bits 266 MHz 2.6 GB/s
The architecture diagram below shows the bus types provided on an Integrity rx6600
entryclass server. Model-specific technical white papers on HP�s
http://www.hp.com/go/servers website provide similar technical details for other
server models, too.
Expansion Slots, I/O Chassis, I/O Expansion Enclosures, and Mezzanine
Cards
Rackmount entry-class and mid-range servers have card slots on the backplane of the
server
which host the expansion cards.Module 5
5-12
Superdome servers host expansion cards in one or more I/O chassis accessible from
the front
and rear of the server.
Superdome 2 servers have no internal expansion card slots. Rather, Superdome 2
servers
host expansion cards in one or more external I/O expansion enclosures.
HP Integrity blade server administrators can add additional interfaces via the
�mezzanine�
expansion card slots located directly on the server blades.
Slides later in the module describe each of these expansion solutions in greater
detail.
Learning More about Your Server�s Expansion Buses
To learn more about the expansion slots and cards available for your server, review
your
model�s QuickSpecs on http://www.hp.com/go/servers.Module 5
5-13
5�5. SLIDE: iLO / MP Cards
Student Notes
The next few slides discuss some of the cards and adapters that occupy PCI, PCI-X,
and PCIExpress buses.
All of HP�s recent server models support an Integrated Lights Out / Management
Processor
(iLO/MP). The iLO/MP provides several important features:
� Local console access via a local serial port: Attach an ASCII terminal to the MP
Serial port
to install, update, boot, and reboot.
� Remote console access via modem or via telnet, HTTPS, or SSH network services:
Remote administrators can use these iLO/MP features to remotely install, update,
boot,
reboot, and perform other administration tasks.
� Hardware monitoring and logging: The iLO/MP captures system hardware level
diagnostics and system messages.
� Power management and control: Use the iLO/MP to view power status and power
on/off
system components.
iLO / MP Cards
� All current HP servers support an Integrated Lights Out Management Processor
� The iLO / MP provides:
- Local console access via a local serial port
- Remote console access via modem or via telnet, HTTPS*, or SSH* network services
- Hardware monitoring and logging
- Power management and control
* Not supported on all models
SAN
LUN
LUN
LUN
CPUs SBA
Memory
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or BladesModule 5
5-14
� And much more... The iLO/MP chapter elsewhere in this course describes these and
many other iLO/MP features in detail.Module 5
5-15
5�6. SLIDE: Core I/O Cards
Student Notes
All Integrity servers include a Core I/O card or equivalent built-in interfaces
that provide
basic server connectivity. Cell-based servers may have multiple Core I/O cards to
support
node partitioning. Core I/O configurations vary, but typically include some
combination of
the following:
� One or more Parallel Small Computer System Interface (SCSI) interfaces for
connecting
the internal disk(s), tape drive, and optional DVD.
� A Serial Attach SCSI (SAS) interface, for connecting the internal disk(s). SAS
provides
greater expandability and better performance than parallel SCSI technology. Newer
systems include SAS rather than parallel SCSI interfaces.
� One or two 10/100/1000BaseT interfaces, for connecting the system to a Local Area
Network. Newer blade servers include standard, built-in �LAN on Motherboard� (LOM)
dual-port 10Gb Ethernet interfaces.
� One or more serial ports, for connecting a terminal, modem, or serial printer.
Core I/O Cards
Typical Usage
Parallel SCSI
Serial Attach SCSI
10/100/1000BaseT adapter
Serial
USB
Graphics/VGA
Audio
Boot disk, tape, and DVD connectivity
Boot disk connectivity
LAN connectivity
Serial terminal/modem connectivity
Keyboard & mouse
VGA monitor
Speakers & Headphones
� All HP servers include at least one Core I/O card or equivalent built-in
interfaces
Common Core I/O Functions
SAN
LUN
LUN
LUN
CPUs SBA
Memory
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or BladesModule 5
5-16
� One or more USB ports, for connecting a local keyboard and/or mouse.
� A graphics/VGA adapter for connecting a local VGA monitor. This feature is only
available on some entry-class servers.
� Audio ports, for connecting a headphone, microphone, and/or speakers. This
feature is
only available on some entry-class servers.
To learn more about your server�s Core I/O features, review your model�s QuickSpecs
on
http://www.hp.com/go/servers.Module 5
5-17
5�7. SLIDE: Internal Disks, Tapes, and DVDs
Student Notes
The Core I/O / integrated parallel SCSI and SAS interfaces are commonly used to
connect
internal mass storage devices.
Entry-class, mid-range, and Integrity blade server models support at least two
internal SAS or
SCSI disks. Entry-class servers support at least one internal DVD drive; some
support one or
more optional internal DDS tape drives, too.
HP�s high-end Superdome and Superdome 2 servers do not include any internal disk or
tape
drives; they rely on external devices or devices installed in an adjacent I/O
expansion cabinet
On all current systems, the internal disk and tape devices are �hot-pluggable�,
enabling the
administrator to service the devices while the server remains running in most
cases. See
your server�s user service manual for details.
Many models now support HP�s SmartArray controller cards. The SCSI and SAS
SmartArray
cards provide hardware-based mirroring functionality using the server�s internal
disks. This
useful feature ensures that the system continues running even if an internal disk
fails.
To learn more about your server�s internal mass storage options, review your
model�s
QuickSpecs on http://www.hp.com/go/servers.
Internal Disks, Tapes, and DVDs
� Blade and rackmount servers support two or more internal hot-plug SCSI or SAS
disks
� Rackmount servers also support one or more internal hot-plug DVD or DDS drives
� Most server models support an optional SmartArray controller
� SmartArray controller provides RAID 1, 5, and 6 functionality
SAN
LUN
LUN
LUN
CPUs SBA
Memory
LBA
PCI-X Bus FC HBA
Serial
LAN
SCSI
Core I/O
Serial
Disk
DVD
LBA
LAN
iLO / MP
PCI-X Bus
Cell Boards
or Blades

Sample

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Sample

Diunggah oleh

Hak Cipta:

Format Tersedia

HP-UX System and Network

Anda mungkin juga menyukai