Administration Guide

Accessing the SDR

You can access information in the SDR by using SP Perspectives, SMIT panels, or the SDR command line interface. The SDR command line interface is used by SP Perspectives, SMIT, and various other SP commands. You do not need to use the SDR commands directly unless you are instructed to by an IBM service representative. Many system management commands, such as spbootins, manipulate SDR data. You must be authorized to access the SDR. The SDR performs authentication before allowing read-write access.

Authentication

The SDR handles authentication differently depending on whether DCE is being used as an authentication method. Since authentication methods are enabled on an SP system partition basis, if DCE is being used by the SDR server, the sdrd daemon running in an SP system partition, then authentication is done using DCE. If DCE is not in use by sdrd, authentication is done as before PSSP 3.2: you must be the root user on the control workstation or an SP node. An SP node is specifically one that has a connecting adapter defined in an SDR Adapter class object. When not using DCE authentication, a node can only write to partition-sensitive classes within the partition or to system classes.

To support coexistence with earlier levels of PSSP software, DCE authentication is not used when the compatibility authentication method is enabled for SP trusted services or when no authentication method is set. That means during a system migration, the SDR is no less secure than in a system without DCE and will be no more secure until after DCE is enabled on the control workstations and all the nodes.

Authorization

On systems that do not use DCE, the SDR has two levels of authorization: read-write and read-only. On systems using DCE the SDR has three levels of authorization: read-only, read-write, and read-write-admin. Commands issued without the necessary authorization will fail.

Table 21 shows the conditions under which each level of authorization is given on a system not using DCE.

Table 21. SDR authorizations on a system without DCE

Machine	Root User	Non-Root User
Control Workstation	read-write	read-only
SP Node	read-write	read-only
Other	read-only	read-only

On DCE systems, anyone is allowed to read the SDR. Write and admin access is authorized by membership in eight DCE groups. The admin authority includes write authority as well. There are separate access groups for system classes and for partition-sensitive classes. There are user access groups to which a security administrator can add user principals and there are service access groups that are for the SP trusted services. The groups are the following:

ssp/sdr-admin: user group for partition-sensitive classes
ssp/sdr-write: user group for partition-sensitive classes
ssp/sdr-admin-services: services group for partition-sensitive classes
ssp/sdr-write-services: services group for partition-sensitive classes
ssp/sdr-system-class-admin: user group for system classes
ssp/sdr-system-class-write: user group for system classes
ssp/sdr-system-class-admin-services: services group for system classes
ssp/sdr-system-class-write-services: services group for system classes

Only partition-sensitive classes are defined as being partitionable in the spsec_defaults configuration file. To have a separate group for each partition, you can define the :p option for the group in the spsec_overrides file.

The SDR commands that require write permission are the following:

SDRChangeAttrValues

SDRCreateObjects

SDRDeleteObjects

SDRMoveObjects

SDRReplaceFile

The SDR commands that require admin permission are the following:

SDRClearLock

SDRCreateClass

SDRCreateFile

SDRDeleteFile

SDRCreateSystemClass

SDRCreateSystemFile

SDRDeleteSystemFile

If a partition has both DCE and compatibility authentication set for SP trusted services, root users on the SP will be able to do SDR write and admin operations. Also, anyone with DCE credentials that are in one or more DCE SDR access groups will be able to do SDR write and admin operations.

Locating the SDR server

There are three ways in which a process can locate the SDR server. They are selected in the following order of preference but when one method is selected, no other methods are attempted. This means that if method 1 is available, only method 1 is attempted. If it fails, methods 2 and 3 are not attempted.

The destination is passed as the third parameter in the SDROpenSession command. This only works for library routines and therefore may be used by some SP subsystems, such as the Resource Manager. The destination is the hostname or TCP/IP address of the control workstation where the SDR runs.
The SP_NAME environment variable is set to the hostname or TCP/IP address of the control workstation where the SDR runs.
The /etc/SDR_dest_info file is present and has the primary record set to the hostname or TCP/IP address of the control workstation where the SDR runs. This file is installed on the control workstation and all SP system nodes along with the PSSP software.

The SDR_dest_info file

The /etc/SDR_dest_info file is created on the control workstation at system installation, and propagated to all nodes in the SP system. The /etc/SDR_dest_info file has the following format:

* comments have an asterisk in column 1
default: <TCP/IP address of default system partition>
primary: <TCP/IP address of node's partition>
nameofdefault: <hostname of default system partition>
nameofprimary: <hostname of name of the node's partition>

The default record identifies the default system partition. The default record is used at boot time so that the node can determine if it has changed system partitions.

Only the primary record is used by the SDR to locate the control workstation where the SDR server runs.

The SDR daemon log

The SDR daemon writes information to a log named /var/adm/SPlogs/sdr/sdrdlog.syspar_ip_addr.pid, where syspar_ip_addr is the IP address of the system partition and pid is the process ID of the SDR daemon (sdrd process). This log will contain the date and time the process started, as well as problems encountered by the daemon in the course of operation.

Using SMIT

The RS/6000 SP System Management SMIT panel provides options for accessing configuration data in the SDR. To invoke this panel:

TYPE

smit

The System Management menu appears.

SELECT

RS/6000 SP System Management

The RS/6000 SP System Management menu appears.

The RS/6000 SP System Management menu offers the following options:

RS/6000 SP Configuration Database Management
The dialogs available through this path allow you to enter, list, and change information during the installation process about your nodes, primary and secondary external LANs, and switch connections, as well as site environment information. These tasks are explained in the PSSP: Installation and Migration Guide.
The choices from this menu are:
- Enter Database Information
  - Site Environment Information
  - |SP Frame Information
  - |Hardware System Console Information
  - |Non-SP Frame Information
  - Node Database Information
  - Node Group Information
  - System Partition Configuration
  - Extension Node Database Information
  - Run setup_server Command
- List Database Information
  - List Site Environment Database Information
  - List Frame Database Information
  - List Node Database Information
  - |Examine Partition Node Groups
  - List System Partition Database Information
  - List LAN Database Information
  - List Extension Node Database Information
  - List Extension Node Adapters Database Information
  - |Aggregate IP Database Information
- Delete Database Information
  - Delete Frame Information
  - Delete Node Information
  - Delete Volume Group Information
  - Delete Adapter Information
  - Delete Node Group Information
  - Delete Node Expansion Information
  - Delete Extension Node Information
  - Delete Extension Node Adapter Information
  - |Delete Aggregate IP Information
  - |Delete Hardware System Console Information
RS/6000 SP Cluster Management
The choices from this menu are:
- Run setup_server Command
- Select System Tuning Parameters
- Perform Switch Operations
- Run enadmin Command
RS/6000 SP Configuration Information
Using this path, you can display configuration information about your nodes, networks, file systems, and paging spaces.
The choices from this menu are:
- List Node Hardware Information
- List Node Network Information
- List Node File System Information
RS/6000 SP Users
Using this path, you can add and delete users, as well as change user management attributes such as passwords.
The choices from this menu are:
- Add a User
- Change/Show Characteristics of a User
- Remove a User
RS/6000 SP Installation/Configuration Verification
Use this path to check that your PSSP software options are installed correctly.
The choices are:
- System Monitor Installation
- System Monitor Configuration
- System Data Repository
- |System Data Repository Scan
- System Management
- Communication Subsystem
- System Partition Configuration
- |Job Switch Resurce Table Services Installation
- |Resource Manager Installation
- Resource Manager Configuration
RS/6000 SP Supervisor Manager
The choices are:
- Check for Supervisors That Require Action (Single Message Issued)
- List Status of Supervisors (Report Form)
- List Status of Supervisors (Matrix Form)
- List Supervisors That Require Action (Report Form)
- List Supervisors That Require Action (Matrix Form)
- Update *ALL* Supervisors That Require Action (Use Most Current Level)
- |Update *ALL Frame* Supervisors That Require Action (Use Most |Current Level)
- Update Selectable Supervisors That Require Action (Use Most Current Level)
RS/6000 SP Resource Manager
The choices are:
- Change/Show Configuration Data
- Start the Resource Manager
- Reconfigure the Resource Manager
- Stop the Resource Manager
|RS/6000 SP Security
|The choices are: |
- |Select Security Capabilities Required on Nodes
- |Create DCE hostnames
- |Update SDR with DCE Master Security and CDS Server Hostname
- |Configure DCE Clients (Admin portion)
- |Configure SP Trusted Services to use DCE Authentication
- |Create SP Trusted Services Keyfiles
- |Select Authorization Methods for AIX Remote Commands
- |Enable Authentication Methods for AIX Remote Commands
- |Enable Authentication Methods for SP Trusted Commands
- |Hardware Monitor DCE Objects
- |Manage SP ACLs |
RS/6000 SP Log Management
The choices are:
- AIX Error Log
- Syslog
- General Log Viewing
- Archive Logs
- Collect Logs for Service

The menu selections run standard AIX commands and, in some cases, add information from the Hardware Monitor and reformat the output for usability. Let's examine the options on the list menu in more detail. The Configuration Information menu contains options that invoke the AIX commands listed in Table 22.

Table 22. Commands invoked by SMIT panels

Select:	To:
List Node Hardware Information	Run the AIX lscfg command to display the name, location, and description of the devices related to the nodes
List Node Network Information	Run the AIX netstat -in command to show the state of the nodes' configured interfaces
List Node File System Information	Run the AIX df command to display the total spaces and available space on the node file systems

SELECT

Any of the three choices

SMIT runs the corresponding AIX command for all the nodes and displays the information in a scrollable window.

You can also list the configuration data using the splstdata command. See the book PSSP: Command and Technical Reference for complete syntax and examples.

Using the command line

A command line interface allows you to display, change, or delete the contents of an SDR object without invoking SMIT panels.

These commands are used by the PSSP components to operate on SDR data. You should not need to use these commands directly. Should you choose to use them, do so with caution. SDR contents can be corrupted or made inaccessible.

The following list briefly describes these commands. See the book PSSP: Command and Technical Reference for exact syntax.

SDRAddSyspar: The PSSP components use this command to create a new daemon using the System Resource Controller (SRC).
SDRArchive: The PSSP components use this command to create an archives file containing all current SDR classes attributes.
SDRChangeAttrValues: The PSSP components use this command to change the attribute values of an existing object.
SDRClearLock: The PSSP components use this command to unlock a class that is locked, regardless of who has the lock. This is for system administration use only and should be used with caution.
SDRCreateAttrs: The PSSP components use this command to create new attributes for an SDR class.
SDRCreateClass: The PSSP components use this command to create a new class of objects and its attributes.
SDRCreateFile: The PSSP components use this command to create an SDR file from an AIX file.
SDRCreateObjects: The PSSP components use this command to create one or more new objects and define their attribute values.
SDRCreateSystemClass: The PSSP components use this command to create a system class.
SDRCreateSystemFile: The PSSP components use this command to create a file that can be retrieved from any system partition.
SDRDeleteFile: The PSSP components use this command to delete an SDR file.
SDRDeleteObjects: The PSSP components use this command to delete target objects.
SDRGetObjects: The PSSP components use this command to query the values of target objects and attributes and prints them to stdout.
SDRListClasses: The PSSP components use this command to list the class names in the SDR.
SDRListFiles: The PSSP components use this command to first list all the files in the system area, then list all the files in the system partition area.
SDRMoveObjects: The PSSP components use this command to move objects from one system partition to another.
SDRRemoveSyspar: The PSSP components use this command to remove the entire contents of the subdirectory under system partitions. It uses the SRC to remove the daemon that serves the system partition.
SDRReplaceFile: The PSSP components use this command to replace the specified SDR file with the specified AIX file.
SDRRestore: The PSSP components use this command to overwrite the current SDR with the contents of an archived SDR file.
SDRRetrieveFile: The PSSP components use this command to create an AIX file from an SDR file.
SDR_test: The PSSP components use this command to verify that the installation and configuration of the SDR completed successfully.
SDRWhoHasLock: The PSSP components use this command to query the lock transaction ID for a specified object class.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]