Administration Guide

Configuring the SP System Monitor

The system administration tasks for configuring the SP System Monitor include authorizing users to perform actions on hardware objects. This includes configuring hardware objects and then configuring the error log.

Step 1: Authorize users for the SP System Monitor

Authorizing users with DCE

During installation and configuration of PSSP with DCE, the following are created by default for the system monitor:

• The DCE groups:

  hm-admin - The group with hardmon administrator authority.

  hm-control - The group with all hardware permissions (v, s, m, and u).

  hm-monitor - A monitor-only group.

  hm-control-services - A hardware control group for SP trusted services.

  hm-monitor-services - A hardware monitor group for SP trusted services.

• A system object and ACL giving m, s, u, and v permission to the hm-control and hm-control-services groups and giving m permission to the hm-monitor and hm-monitor-services groups.
• A hardmon object and ACL with the hm-admin group and the spsec_admin groups. The hm-admin group represents administration authority for hardmon, including the ability to populate the hardmon object database and the ability to list hardmon objects. The spsec_admin group represents control authority with the ability to change the ACLs.

If you choose to have more granularity of access, do the following:

1. Do a dce_login with a principal that is both in the spsec_admin group and in the hm-admin group.
2. Populate the hardmon object database with additional objects and ACLs, according to the security policy of your organization, using the hmdceobj command or SMIT fastpath.

   You can add, delete, or list hardware objects. For example, you can grant system monitoring permission even to unauthenticated users, by adding two entries to the ACL for the system object:

   • An ANY_OTHER entry with the m permission.
   • An UNAUTHENTICATED entry with the m permission.

Use the spacl command or the spauth_spacl SMIT fastpath to manipulate the related DCE ACLs. See Managing DCE ACLs for SP trusted services.

Authorizing users with Kerberos V4

The SP System Monitor Access Control Lists (ACLs) are found in /spdata/sys1/spmon/hmacls on the control workstation. Edit this file if you want to add users for your system. The /spdata/sys1/spmon/hmacls file is initially set up giving all levels of authority (including administrator) to the same user that is defined as the primary authentication services administrator by the setup_authent command (see Chapter 2, Security features of the SP system for more information). The hardmon principal is initially set up with monitor authority (for use by splogd).

The fields for each entry in the /spdata/sys1/spmon/hmacls file are

object  name  permissions

where:

object

A frame number or hostname (where the hardmon daemon is running)

name

A Kerberos principal name and optional instance

permissions

a

Administrative. This gives authority to control hardmon.

m

Monitor. This gives permission to receive state changes.

s

Serial link. This gives permission to read and write to a serial port.

v

VFOP control. This gives permission to issue commands to the hardware.

Invoke the hmadm setacls command after the ACL configuration file has been modified to update the hardware monitor daemon's internal ACL tables.

Refer to Chapter 2, Security features of the SP system for more information on security considerations.

Step 2: Configure the SP System Monitor error log

When the hardware supervisors indicate a warning or shutdown condition, the SP System Monitor writes a message using the AIX syslog facility and the AIX error log facility. For example, when the hardware supervisors determine that a fan has failed, the SP System Monitor writes a precise message into the log file that includes the time, node, type of error, variable name, and, in some cases, associated values.

The installation process creates the default system log file /var/adm/SPlogs/SPdaemon.log on the control workstation. You might want to configure your system to send the system log information to other locations. For example, you might want to send the SPdaemon.log messages to another workstation for convenience. You can do this using the @hostname parameter in the /etc/syslog.conf file. For more details, see the book IBM AIX Files Reference. The facility name for the SP System Monitor is daemon.