On IBM i systems, the SSH service is playing an important role in modernisation, it can be used, for instance, to take advantage of new software development tools such as VS Code For I, or it can be used in an innovative software release context using pipelines. SSH (or rather SFTP) is also playing a key role in securing data exchange flows by gradually replacing the plain-text transfers that used to use the FTP protocol, popular in the IBM i context.
At the moment SSHD server doesn’t have any kind of exit point that we can use in order to restrict or manage connections to this server… This doesn’t mean that is not possibile to make this server secure! In this article we will show how to restrict access to specific users (or groups of users) and log the access attempts that are made.
What do we need to know? Well, the SSHD server has the same behavior that it has on other platforms and therefore allows you to use the same directives, so if you are familiar with some other UNIX like platform, well in this case you won’t have any kind of problem. As far as logging is concerned, again we will use a very convenient and widely used utility on UNIX systems namely syslogd.
How to configure and activate SysLogD?
This service is automatically installed with the 5733SC1 operating system product. Activating the daemon is quite simple, you only need to submit a job that activates it as per this command: SBMJOB CMD(STRQSH CMD(‘/QOPENSYS/USR/SBIN/SYSLOGD’)) JOB(SYSLOGD) JOBQ(QSYSNOMAX) (P.S. you need to put this command into you QSTRUP)
To check that’s everything ok, you need to look in your NETSTAT opt. 3 and in this way you need to find the UDP port 514 in listening status.
So, now that the deamon is active, you need only to change your SSHD configuration file in order to send to syslog server all entries:
Restart sshd server and check into /var/log/messages or /var/log/auth files
How to restrict access to ssh?
The logic behind the configuration of user restriction in ssh can be bi-directional, i.e. defining a list of users who are not authorised to connect and consequently all the others are, or defining the list of users who are authorised and the others are not. In my case, the choice falls on the second possibility by authorising access to this service to restricted groups of users.
A very important and often fascinating challenge (at least from my perspective) is to give a new way of reading and then using what are often unfortunately referred to as legacy systems. Being heavily involved in research and development at the place where I work, I have the opportunity to fulfil this challenge both out of personal ambition but more importantly to offer new solutions to new needs from customers.
In this article/guide, we will see how it is definitely easy to install and configure the relational DBMS PostgreSQL on AIX.
Why PostgreSQL? It is one of the most widely used open-source relational DBMSs in the world, some estimates say it is one of the most widely used and growing. There are several reasons to choose it as a DBMS, a rich support community, a natural propensity for scalability and security, support for some non-standard data types that make it extremely convenient to use in the context of users who are less experienced on the database part but more oriented towards development, and so on…
Why AIX? AIX is a Unix-like operating system from IBM, it is one of the most robust operating systems with less downtime required for enterprise contexts, the ideal system for a company that cannot stop its production. As for the IBM i, AIX is also facing a very important step, that is, the opening to the outside world and the integration with new open source technologies. There are many (even if not enough) packages that can be easily installed using the DNF package manager.
Unfortunately, PostgreSQL is not one of them, but let’s not get discouraged, it will still be possible to install it with some ease!
Firstly, go to PostgreSQL documentation in order to check if the minimum requirements are met. Let me say that you won’t have a problem in this case, that because you need to have at least AIX 6.1 (that is quite old :-D). In addition, you need to have installed GMAKE and GCC, if you don’t have that you can easily install via DNF. Now, save on your favourite tray this link, it gives you a lot of information about compiling PostgreSQL from source.
Getting source code: to do that, you have to choose what version of PostgreSQL you want to install, after that you can use WGET command (you can install this command via DNF) directly from your system, in my case I have chosen 16.6:
Extracting source code: now we have to extract our sources file from tar.gz archive, so in this case you can use GUNZIP command in this way gunzip postgresql-XXXX.tar.gz and with TAR you can extract all the files, use tar-xvf postgresql-XXXX.tar
Compiling source code: now go into the folder and run ./configure --without-icu, this will automatically check dependency and so on:
Now, you are ready to compile with make and when is completed with make all, and yes, as you can see you are compiling your PostgreSQL.
Installing: now the last point is to move all binaries file to the default bin path with make install, and yes, now your installation is completed.
The last point is to configure service account and your first database:
adduser postgres
mkdir -p /usr/local/pgsql/data
chown postgres /usr/local/pgsql/data
su - postgres
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
/usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -l logfile start
/usr/local/pgsql/bin/createdb test
/usr/local/pgsql/bin/psql test
We are at the end of this tutorial, you have successfully installed your PG instance on your AIX. Let me take one moment to talk about High Availability. One of the best possible configurations is to use the PowerHA product for AIX to manage a resource on a cluster defined on multiple lpars. In this case, the database and its configuration must reside on a shared disk that can be switched between the various partitions. In addition, the last step is to define simple scripts that allow the service to be started and stopped when the resource group is activated/deactivated or simply moved from one node to another.
And you, have you ever tried to install and use open source apps on AIX? Let me know about
Of course, stability and resilience that is the ability to always be able to rely on the availability of the system, its application services, and especially its data.
Another focus is the simplicity of the tool and the management of the user experience. Ideally, it would then be ideal to have rich documentation that can help the end user but especially the platform manager.
One point that is often overlooked, however, is the aspect of the user community and the possibility of being able to contribute to the evolution of this platform. Here, in the context of IBM Power systems there is ample room for community and its members, just think of you reading this post, all the various more or less organized groups of people who share their information, their knowledge and sometimes their questions. Over the years, I have had the pleasure and opportunity to be able to attend some events such as the Common Europe or Tech Exchange, and I was able to see how specialists in the field were extremely willing to engage in discussion by giving different points of view to the various speakers.
However, the very interesting thing that I would like to focus on is the possibility of making suggestions or making requests. Yes because in the first instance a platform belongs to those who use it, those who fight with it and bang their heads on it every day. IBM in this case provides the Ideas portal, the place where any developer, systems engineer, end user can propose new features, changes to tools or system behaviours, etc. to IBM developers.
Giving feedback on the portal is very easy, just log in with an IBM id (everyone can create their own for free), and select the technology for which you are opening an implementation request. Among the most popular are requests related to IBM i systems, AIX and PowerVM. At this point, it will be necessary to enter a title to the idea, and the tool will check that there is not already an idea with similar content to that suggested in the title. Finally, once you have verified that it is okay, you will need to detail the request as much as possible-the more information the better. The game is done!
The Ideas Portal also allows users to compare and evaluate the ideas of other users. In fact, from there, it is possible to check the other proposed ideas and give your support by voting them.
So, at this point, please try to take a look of Ideas Portal and let me know what do you think about.
