The standard interface routines are further classified as follows: Top-level routines These APIs allow the application to specify the type of transport.
Intermediate-level routines These APIs are similar to the top-level APIs, but the user applications select the transport specific information using network selection APIs. Expert-level routines These APIs allow the application to select which transport to use. These APIs are similar to the intermediate-level APIs with an additional control that is provided by using the name-to-address translation APIs. The bottom level contains routines used for full control of transport options. These APIs allow the various applications to work in coordination with the simplified, top-level, intermediate-level, and expert-level APIs.
Bottom-level routines Other routines
The AIX V6.1 TI-RPC interface routines listed by classification level are documented in the Transport Independent Remote Procedure Call section of Chapter 8, Remote Procedure Calls, in AIX Version 6.1 Communication Programming Concepts, SC23-5258.
1.2 AIX tracing facilities review
AIX Version 6 has several tracing facilities available: AIX system trace This is the main trace facility on AIX. It supports tracing of both applications and the kernel. The AIX system trace facility is designed for tracing inside the kernel and kernel extensions. However, it also supports user-defined tracing in application code. It is based on compiled-in static trace hooks and is only enabled when needed. By default, all trace hooks are enabled when tracing is turned on. However, there are options to enable only a set of trace hooks or to disable some specific trace hooks. Both user and kernel tracing share the same system buffers. So, the application-level trace data is copied to the system buffer.
Chapter 1. Application development and system debug
Light weight memory trace Light weight memory trace (LMT) traces only key AIX kernel events and is not available in user mode. LMT is also based on compiled-in static trace hooks. It is enabled by default, but it uses a light weight mechanism to record trace data, so the performance impacts are minimal. The trace data is sent to per-CPU buffers and stays in memory until overwritten. There are commands to extract the traced data, and it is displayed using the same tools as AIX system trace. Alternatively, it can also be displayed with the kdb command or extracted from a system dump. Truss Truss is a tracing mechanism that allows tracing of all system calls and optionally all library calls executed by a specific process. So, traced events are limited to system subroutines calls. Trace output consists of the parameters passed into and the values returned from each system (and library) call. This is directly sent to the standard error of that process. There is no mechanism to save the trace data and there are no system-wide buffers.

17 256

10:54 10:54 10:54 10:30
# efsmgr -e file2 # ls -U total 32 -rw-r--r---rw-r--r--e -rw-r--r--drwxr-xr-x-

10:54 11:07 10:54 10:30

# efsmgr -l file2 EFS File information: Algorithm: AES_128_CBC List of keys that can open the file: Key #1: Algorithm : RSA_1024 Who : uid 0 Key fingerprint : e34acd99:b1f22cdc:85f638e0:3fd56e78:e3c5a3a7 # su - guest -c cat /efs/file[1-3] content of file1
cat: 0652-050 Cannot open /efs/file2. content of file3 # ls -iU file-rw-r--r--e

1 root

system

17 Sep 20 11:07 file2

# istat 7 /dev/fslv00 Inode 7 on device 10/11 File Protection: rw-r--r-Owner: 0(root) Group: 0(system) Link count: 1 Length 17 bytes Last updated: Last modified: Last accessed: Thu Sep 20 11:07:09 CDT 2007 Thu Sep 20 11:07:09 CDT 2007 Thu Sep 20 11:31:33 CDT 2007
Block pointers (hexadecimal): 2b # fsdb /dev/fslv00 Filesystem /dev/fslv00 is mounted. File System: File System Size: Aggregate Block Size: Allocation Group Size:
Modification is not permitted.
/dev/fslv(512 byte blocks) (aggregate blocks)
> display 0x2b Block: 43 Real Address 0x2b000 00000000: 023173CC 00521DBD FDE0A433 00000010: 069AE78F 13610D78 7ECCB975 00000020: F5E2DE6D AE16DEB9 4C9DF533 00000030: 4A942ADA DD08A62D 86B3D4FF 00000040: 8A4A4D4E 3330F8B00000050: 85369398 10165D90 F57E1C90 00000060: 9BAC97F3 AB308BA9 751AAA31 00000070: 11CDA7F1 BE590C7F D9E2C144 00000080: 46B83CD8 01EB3133 1F1F2FAC 00000090: ED4055BA AA16D0F0 6BD1DEEA 000000a0: BAC172E5 F4A0B05F 6DA06952 000000b0: E023B89D E7F78E05 AB94246B 000000c0: 3171B246 5C2AB5C7 B96CCF1E 000000d0: 019C5735 AB71D7E8 12FB70F5 000000e0: D1EA73FF 63746CE9 C4E5EAEB
556504CE EDD9A258 01F68EC1 0D7BA079 A830F7A4 023DD6E6 67167FFD A0DFECE3 0E016BB0 DE1D97ED CC43D1F5 6602B394 A78DE2BD 747F3DCA 7E2DD5A2
|.1s.R..3Ue.| |..a.x~.u.X| |.m.L.3.| |J.*.-..{.y| |.JMN30.d.r.0.| |.6.].~.=.| |..0.u.1g.| |..Y..D.| |F.<.13./.k.| |.@U..k.| |.r._m.iR.C.| |.#.$kf.| |1q.F\*.l.| |.W5.q.p.t.=.| |.s.ctl..~-.|
000000f0: 1FE58E32 AA82EB4F 104E72E4 EB69D87E -hit enter for more# efsmgr -d file2 # ls -iU file-rw-r--r---

Table 3-9 Option changes for netpmon command Flag or argument none Behavior in WPAR Executes the default report and displays information specific to the WPAR. Fails with a usage message, as the -@ Wparlist option is made illegal inside the WPAR. Behavior in Global Executes normally with no changes from previous versions of AIX. Prints relevant information for a given WPAR only. If the specified WPAR does not exist or is not active, then it fails with a workload partition not found message unless the workload partition name is Global. Executes normally and prints a summary of all WPARs. A workload partition name is displayed for each record. Executes normally and prints additional WPAR information. A workload partition name is displayed for each record.

-@ Wparname

Example 3-2 demonstrates the output of the netpmon -@ command when ran within the Global environment.
Example 3-2 The netpmon command in a global environment
Fri Oct 5 15:05:System: AIX 6.1 Node: server5 Machine: 00C0F6A04C00
======================================================================= = Process CPU Usage Statistics: ----------------------------Network Process (top 20) PID CPU Time CPU % CPU % WPAR -------------------------------------------------------------------trcstop 454690 0.0029 9.182 0.000 Global getty 303290 0.0014 4.419 0.000 Global wlmsched 65568 0.0012 3.725 0.000 Global ksh 381130 0.0009 2.739 0.439 Global xmgc 49176 0.0008 2.632 0.000 Global gil 61470 0.0008 2.356 2.356 Global swapper 0 0.0007 2.125 0.000 Global java 270528 0.0005 1.491 0.000 Global netpmon 393260 0.0005 1.418 0.000 Global sched 12294 0.0003 0.977 0.000 Global netpmon 454688 0.0002 0.779 0.000 Global lockd-0.0002 0.741 0.000 Global rpc.lockd 139406 0.0001 0.465 0.000 Global sendmail: 332014 0.0001 0.204 0.000 mywpar1 init 368830 0.0001 0.189 0.000 mywpar1 sendmail: 204900 0.0001 0.182 0.000 Global pilegc 45078 0.0000 0.079 0.000 Global aixmibd 123008 0.0000 0.069 0.000 Global rmcd 266378 0.0000 0.052 0.000 Global netm 57372 0.0000 0.046 0.046 Global ---------------------------------------------------------Total (all processes) 0.0108 33.871 2.841 Idle time 0.0083 25.906 ======================================================================= = First Level Interrupt Handler CPU Usage Statistics:

.metadata.lvs.fslv00.fslv01.fslv02.fslv03.fslv04.fslv05.lines missing for clarity

| | | | | | | |

NO NO NO NO NO NO NO NO
ON/3 ON/3 ON/3 ON/3 ON/3 ON/3 ON/3 ON/3
The dumpctrl command is able to list live dumps with the specified components:
# dumpctrl -h.lines missing for clarity -s : List live dumps in the dump repository.lines missing for clarity Selector: either "-c all" or one or more of -c list : comma- or space-separated list of component names, -l list : comma- or space-separated list of component aliases, -t list : comma- or space-separated list of type or type_subtype names -C name : failing component name (only valid with -s) -L name : failing component alias (only valid with -s -T name : failing component type_subtype name (only valid with -s)
An output of the -s option when no live dump exists is shown in the following output:
# dumpctrl -s The live dump repository located at: /var/adm/ras/livedump contains no live dumps that match the specified parameters (if any).
SMIT panels (Figure 4-4 and Figure 4-5 on page 157) are also available to modify the dump component attributes under the main menu smitty ldmp.
Figure 4-4 SMIT Panel to request change/show the dump component attributes
Figure 4-5 SMIT Panel to change/display Dump attribute for a component

4.3.3 Live dump facility

The live dump facility uses the Component Dump framework to dump only AIX components registered as live dump aware components. Software or system administrators can initiate live dumps while the system is running: planned downtime is no longer necessary to dump a system. Software programs can use live dumps as part of recovery actions. A system administrator can initiate live dumps when a subsystem does not respond or behaves erroneously. The live dump is intended to provide dump capability to the kernel and extensions when the system is still functional. Important: Live dump should not be used if the system is not entirely functional. If no tasks can be dispatched or the system cannot perform I/O, then the system dump should be used instead. Live dump should not be used as the dump choice when a complete system failure is determined.

The data is written to the file system only after the system is unfrozen.

Live dump heap size

The default live dump heap size is the minimum of 64 MB and 1/64th the size of physical memory. It will not be less than 4 MB. The maximum heap size is also limited to 1/16th the size of real memory. Table 4-4 provides live dump heap size limits for several real memory sizes.
Table 4-4 Live dump heap size limits Size of real memory 128 MB 256 MB 1 GB 4 GB 16 GB Default heap size 4 MB 4 MB 16 MB 64 MB 64 MB Min. heap size 4 MB 4 MB 4 MB 4 MB 4 MB Max. heap size 8 MB 16 MB 64 MB 256 MB 1 GB
The heap size can be changed dynamically using the dumpctrl command or by way of dynamic reconfiguration, that is, adding or removing real memory.
Managing the live dump heap content
Duplicate live dumps that occur rapidly are eliminated to prevent system overload and to save file system space. Eliminating duplicate dumps requires periodic, once every 5 minutes by default, scans of the live dump repository. This is done by calling /usr/sbin/dumpctrl -k using an entry in the root users crontab. This period can only be changed by editing the crontab. To eliminate duplicate dumps, the dumpctrl-k command uses the following policies that can be changed by the dumpctrl command: Pre-capture policy Pre-capture elimination is designed to prevent duplicate live dumps. It uses an age limit. When checking for duplicates, only dumps not older than a day (86400 seconds) will be considered.
Post-capture policy Post-capture elimination is used to remove low priority live dumps when a higher priority dump must be written, and the file system free space is low.
A live dump has a priority of either info or critical, for informational or critical dumps. The default is critical. If, while writing a critical dump, the system runs out of space, post-capture elimination removes live dumps with info priority, starting with the oldest one, until the critical dump can be written. All policy None policy Pre-capture elimination and post-capture elimination are both in effect. No live dump elimination is performed.
There is a free space percentage associated with the live dump repository. When the free space falls below this percentage, the system logs an error message to the error log. As shown in Figure 4-7, the free space is 22% while the desired limit is at 25%, the default value. The system administrator should increase the file system size or delete the live dumps no longer desired. The contents of the live dump directory can be displayed with the dumpctrl -s command.
Figure 4-7 The freespc parameter and error log

Live dump attributes

With the dumpctrl command, all the described live dump attributes can be set with the form: dumpctrl attribute1=value1 attribute2=value2 To display live dump attributes, use the -ql option of the dumpctrl command: dumpctrl -ql
The following example shows how to display and modify live dump attributes controlling the live dump directory and the live dump detail level. Note that the live dump directory is also known as the live dump repository:

other kernel segments

Chapter 6.

Performance management

The performance of a computer system is evaluated based on clients expectations and the ability of the system to fulfill these expectations. The objective of performance management is to balance between appropriate expectations and optimizing the available system resources. Many performance-related issues can be traced back to operations performed by a person with limited experience and knowledge who unintentionally restricts some vital logical or physical resource of the system. Most of these actions may at first be initiated to optimize the satisfaction level of some users, but in the end, they degrade the overall satisfaction of other users. AIX Version 6 introduces many new performance management enhancements: 6.1, Unique tunable documentation on page 248 A unique documentation repository for all tunables of the six AIX tuning commands. 6.2, Restricted tunables on page 249 The tunable classification ##Restricted parameter helps you avoid user modification mistakes on critical performance tunables. 6.3, AIX V6 out-of-the-box performance on page 262 A new AIX default set of tunables values that helps you avoid setting base operating system parameters for a newly installed system, the so-called tuning out-of-the-box, or default, performance.
6.4, Hardware performance monitors on page 271 Enhancements on the AIX low-level performance monitors helps you detect more accurately a server problem-determination issue against a pure performance issue.
6.1 Unique tunable documentation
Because of the large number of tunables available, the need to adjust the tunables default values, their value ranges, and the need to add new tunables as platform complexity evolves, the static nature of the corresponding system documentation and tunable help messages has become increasingly difficult to manage. The help messages of the tuning commands now contain the complete tunables descriptions and allowed settings. Thus, the full list of the system tunable parameters and details of their use are no longer available at the AIX documentation or man pages level. This method ensures a single method for a user to know the exact functions a command currently has. The tunable description message for the six tuning commands (vmo, ioo, schedo, raso, no, and nfso) can be displayed through the new -h <tunable> option. The following example shows a tunable description message: # vmo -h lru_file_repage Help for tunable lru_file_repage: Purpose: Specifies whether the repaging rate will be considered in determining whether to steal file or computational pages. Values: Default: 0 Range: 0, 1 Type: Dynamic Unit: boolean Tuning: A value of 0 indicates that only file pages will be stolen if file pages are above minperm. Value of 1 indicates that only file pages will be stolen if both the file repaging rate is higher than the computational repaging rate and file pages are above minperm. We recommend that AIX system administrators make a copy of the complete tunables description, using a text file format, to their personal computer if they need to work without an AIX server connection.

Tip: Appendix B, Sample script for tunables on page 429 provides a sample shell script named prt_tun_help.sh to output all tunables for each tuning command under a corresponding file with the xxxo_help.txt name. A tar archive format file, gathering all these output files, named prt_tun_help.tar, can be then uploaded.

6.2 Restricted tunables

Since AIX 5L V5.3, six tuning commands (vmo, ioo, schedo, raso, no, and nfso) have a unified behavior and syntax. Beginning with AIX Version 6, some tunables are now classified as restricted use tunables. They exist and must be modified primarily for specialized intervention by the development support or development teams. Note: System administrators should not modify restricted tunables unless instructed to by IBM Support professionals. As these parameters are not recommended for user modification, they are no longer displayed by default, but can be displayed with the -F option (force). Thus, in SMIT and Web-based System Manager, they have no visibility by default. The no, nfso, vmo, ioo, raso, and schedo tuning commands all support the following syntax: command [-p|-r] [-F] -a command [-L] -F [tunable] command [-x] -F [tunable] The -F option forces the display of restricted tunable parameters when the options -a, -L, or -x are specified alone on the command line to list all tunables. When -F is not specified, restricted tunables are not included in a display unless specifically named in association with a display option. When the force -F option is used, the restricted tunables will be displayed after the non-restricted tunables and after a distinctive separator line beginning with the characters ##. In English language locales, this will be ##Restricted tunables. The Web-based Systems Manager panels do not show restricted tunables by default, but display them with their name followed by (R), when the Show Restricted Parameters check box is selected in the menu of a tunable table.
Chapter 6. Performance management
In Figure 6-1, note the restricted tunables are defined as Development Parameters to underline that only the IBM AIX development support team is authorized to modify the AIX restricted tunables.
Figure 6-1 SMIT panel for AIX Version 6.1 restricted tunables
6.2.1 New warning message for restricted tunables
When a restricted tunable is modified using any -o, -d, or -D option, a warning message is written to stderr (without generating an error) to warn the user that a tunable of the restricted use type has been modified: # vmo -o maxclient%=40 Setting maxclient% to 40 Warning: a restricted tunable has been modified Moreover, if a restricted tunable is modified permanently adding the -p or -r option, the user will be prompted for confirmation of the change: # vmo -p -o maxclient%=40 Modification to restricted tunable maxclient%, confirmation required yes/no yes Setting maxclient% to 40 in nextboot file Setting maxclient% to 40 Warning: a restricted tunable has been modified

Display statistics of cache usage
You can display statistics of the cache usage. The output of the command will be directed to the specified file. Use the statistics to verify the value of hash_size attribute in the netcd configuration: # netcdctrl -t dns -e hosts -s /tmp/netcd.cache.out
This output shows an extract of a statistic file:
CACHE dns, hosts, name Hash index : 0, Max number of entries : 0, Current number of entries : 0 Hash index : 1, Max number of entries : 0, Current number of entries : 0 Hash index : 2, Max number of entries : 0, Current number of entries : 0. Hash index : 53, Max number of entries : 1, Current number of entries : 1 Hash index : 54, Max number of entries : 1, Current number of entries : 1 Hash index : 55, Max number of entries : 0, Current number of entries : 0 Hash index : 56, Max number of entries : 1, Current number of entries : 0 END CACHE dns, hosts, name

Flush caches

You can manually flush the caches with the following command: # netcdctrl -t dns -e hosts -f If you flush a local resource cache, the local resource will be reloaded automatically. Use the following command if you changed the /etc/hosts local resource and you want to notify the netcd daemon immediately: # netcdctrl -t local -e hosts -f
Change the logging level of the netcd daemon
You can change the logging level of the netcd daemon dynamically. No restart of the daemon is necessary: # netcdctrl -l 7 Table 7-5 lists the available and default log levels.
Table 7-5 netcd logging levels Log level (the default) Log detail No logging Errors (the default) Warnings Notice Info Debug

7.6 IPv6 RFC compliances

The IPv6 implementation in AIX V6.1 is compliant with RFC 4007 and RFC 4443, as published by the Internet Engineering Task Force (IETF).
7.6.1 RFC 4007 - IPv6 Scoped Address Architecture
RFC 4007 describes the scoped address architecture. AIX V6.1 introduces scope zone support, as specified in the RFC. AIX will automatically assign an unique, consecutive number as the zone ID. If you need to provide a specific zone ID, you can specify the desired zone ID value within the ifconfig command: # ifconfig en1 inet6 fe80::6888:8eff:fe61:6606%9/64 You can use the netstat command to display the assigned zone IDs:
# netstat -in Name Mtu Network Address ZoneID enlink#2 6a.88.8e.61.66.2 en9.3.4 9.3.5.112 enfe80::6888:8eff:fe61:sitlink#3 9.3.5.112 sit::9.3.5.enlink#4 6a.88.8e.61.66.5 enfe80::6888:8eff:fe61:lolink#1 lo127 127.0.0.1 lo::Ipkts Ierrs Opkts Oerrs Coll 0 0
More information about the IPv6 Scoped Address Architecture can be found at: http://www.ietf.org/rfc/rfc4007.txt
7.6.2 RFC 4443 - Internet Control Message Protocol (ICMPv6)
RFC 4443 describes the Internet Control Message Protocol (ICMPv6). ICMPv6 is based on ICMPv4 with enhancements made for the use with IPv6. AIX V6.1 implements the message type and message code changes as defined in RFC 4443, which obsoletes the older ICMPv6 RFC 2463. More information about the Internet Control Message Protocol can be found at: http://www.ietf.org/rfc/rfc4443.txt

Stack Execution Disable itself is introduced in AIX 5L 5.3 TL4. In AIX V6.1, it is added to the graphic interface; you can now see the Enable Stack Execution Disable check box in Miscellaneous section of High Level Security, as shown in Figure 8-3.
Figure 8-3 Enable SED Feature Interface
8.2.5 File permission Manager (fpm) for managing SUID programs
File Permission Manager (fpm) manages the permissions on commands and daemons owned by privileged users with setuid or setgid permissions. This command will be provided in AIX V6.1 and AIX 5L V5.2 TL10 and AIX 5L V5.3
TL7 at the time of writing. AIX Security Expert provides the interface of the File Permissions Manager, as shown in Figure 8-4.
Figure 8-4 File Permissions Manager Interface on AIX Security Expert
The fpm command allows administrators to harden their system by disabling the setuid and setgid bits on many commands in the operating system. This command is intended to remove the setuid permissions from commands and daemons owned by privileged users, but you can also customize it to address the specific needs of unique computer environments with the command options. Note: The fpm command cannot run on TCB-enabled hosts. Example 8-1 shows an example of the fpm command.
Example 8-1 Changing Level and Restore setting scenarios
##### Check current status # fpm -s Default level security. # more 10192007_12:20:49 ##### Check current file permissions # ls -l /usr/bin/acctctl -r-sr-s--1 root adm
203601 Sep 24 18:24 /usr/bin/acctctl
##### Change Low Level # fpm -l low One or more file is already secure. Therefore, the current file permissions may not match the default permissions. If you wish to return to the snapshot of permissions prior to running this command, then use the command: /usr/bin/fpm -l default -f /var/security/fpm/log/10192007_13:02:57 fpm will now continue to remove the SUID permissions. ##### Check current file permissions: suid is removed
# ls -l /usr/bin/acctctl -r-xr-s--1 root adm
##### Change Medium Level # fpm -l medium One or more file is already secure. Therefore, the current file permissions may not match the default permissions. If you wish to return to the snapshot of permissions prior to running this command, then use the command: /usr/bin/fpm -l default -f /var/security/fpm/log/10192007_13:03:18 fpm will now continue to remove the SUID permissions. ##### Check current file permissions: sgid is removed # ls -l /usr/bin/acctctl -r-xr-x--1 root adm 203601 Sep 24 18:24 /usr/bin/acctctl ##### Change Default Status # fpm -l default fpm will restore the AIX file permissions to the installed settings and any customized defaults listed in /usr/lib/security/fpm/custom/default. If you had done other customizations outside fpm and wish to return the file permissions to a state representing a particular time and date, use the command: fpm -l default -f /var/security/fpm/log/<in_file> Where <in_file> is a previously saved timestamped file representing this system's file permission state at a particular date and time. ##### Check current file permissions: suid, sgid are restored # ls -l /usr/bin/acctctl -r-sr-s--1 root adm 203601 Sep 24 18:24 /usr/bin/acctctl Attention: The fpm command writes a log in the /var/security/fpm/log directory. Ensure that there is free space for the directory and log. If there is no space to log, the command will fail.

Here are the kernel security tables management commands: setkst Update the KST with data in the user-level databases. Only an entire table update is supported. A way to update single entries in a table is not provided. (KAT requires the KRT and KCT update.) List the data from the KST.
A binary version of KST is saved each time the setkst command is executed. It is used for reboot and Workload Partition mobility.
User defined Authorization Privileged comand Privileged device

User Kernel

User-defined KAT Privileged Command table (KCT)

Roles table (KRT)

Privileged Device Table (KDT)

System-defined KAT

Figure 8-6 Enhanced RBAC Framework on AIX V6.1.

8.3.1 Authorizations

Authorizations are authority attributes for a user. These authorizations allow a user to do certain tasks. An authorization can be thought of as a key that is able to unlock access to one or more commands (see Figure 8-7).
Figure 8-7 Authorizations concept
Authorization in AIX 5L V5.3
In AIX 5L V5.3 and earlier, 11 authorizations were provided in the system (see Table 8-2). These cannot be customized. The commands and authorizations are tightly bound.
Table 8-2 Authorizations in AIX 5L V5.3 Authorization Backup Diagnostics Description Performs a system backup. The backup command uses this authorization. Allows a user to run diagnostics. This authority is also required to run diagnostic tasks directly from the command line. The diag command uses this authorization. Performs a disk quota. The following commands use this authorization: quotacheck edquota j2edlimit quota quotaoff quotaon repquota Performs the functions of the root user on group data. The following commands use this authorization: chgroup chgrpmems chsec mkgroup rmgroup Views the list of valid audit classes. Performs the functions of the root user on password data. The following commands use this authorization: chsec lssec pwdadm Performs password administration functions on non-administrative users. The pwdadm command uses this authorization.

DiskQuotaAdmin

GroupAdmin
ListAuditClasses PasswdAdmin

PasswdManage

UserAdmin
Performs the functions of the root user on user data. Only users with the UserAdmin authorization can modify the role information of a user. You cannot access or modify user auditing information with this authorization. The following commands use this authorization; chfn chsec chuser mkuser rmuser Allows the user to modify the user-auditing information. The following commands use this authorization: chsec chuser lsuser mkuser Performs the functions of the root user on role data. The following commands use this authorization: chrole lsrole mkrole rmrole Performs a system restoration. The restore command uses this authorization.

Figure 8-10 Concept of roles
The function of the role itself is not different from the previous one on AIX 5L V5.3. But the contents of roles are completely different. The following tables (Table 8-5 on page 325 and Table 8-6 on page 325) shows roles that the system provides by default.
Table 8-5 List of roles provided by default on AIX 5L V5.3 Roles ManageBasicUsers Descriptions Performs the functions of the root user on user data. Views the list of valid audit classes. Performs the functions of the root user on role, password data, group data, and user data. Views the list of valid audit classes. Performs password administration functions on non-administrative users. Performs the functions of the root user on password data. Performs password administration functions on non-administrative users. Performs the functions of the root user on role data. Performs a system backup and a system restoration. Performs a system backup. Shuts down the system. Runs diagnostics. Performs a disk quota.

ManageAllUsers

ManageBasicPasswds ManageAllPasswds
ManageRoles ManageBackupRestore ManageBackup ManageShutdown RunDiagnostics ManageDiskQuota
Table 8-6 List of roles provided by default on AIX V6.1 Roles AccountAdmin BackupRestore DomainAdmin FSAdmin SecPolicy SysBoot SysConfig isso Descriptions User and Group Account Administration Backup and Restore Administration Remote Domain Administration File System Administration Security Policy Administration System Boot Administration System Configuration Information System Security Officer

Roles sa so

Descriptions System Administrator System Operator
By default, AIX does not activate any roles. A swrole command can be used to assume the proper role in order to execute any privileged command or function.
8.3.4 Summary of differences
Table 8-7 shows a summary of differences between AIX 5L V5.3 and AIX V6.1 RBAC functions.
Table 8-7 Differences summary between AIX 5L V5.3 and AIX V6.1 Feature Implementation region Role Create new roles Enablement Authorization Structure Create new authorizations Privilege Create new privileges Assign privileges to targets No No No (system provides only) Yes (file, device, process) Flat No Hierarchical Yes Yes Default active Yes Need to activate (swrole) AIX 5L V5.3 Mostly User space AIX V6.1 User and Kernel Space
8.4 Web-based GUI for RBAC

Figure 10-14 SMIT menu to select country or region for Olson time zone
SMIT uses the undocumented /usr/lib/nls/lstz -C command to produce the list of available countries and regions. Note that undocumented commands and features are not officially supported for customer use, are not covered by the AIX compatibility statement, and may be subject to change without notice.
After you have chosen the country or region in the Select COUNTRY or REGION menu, a new selection menu will list all available time zones for the country or region in question. Figure 10-15 shows the time zone options that are available for the United States. The selected value of the first column will be passed by SMIT to the chtz command, which in turn will change the TZ variable value in the /etc/environment system level configuration file. As with previous AIX releases, time zone configuration changes always require a system reboot to become effective.
Figure 10-15 SMIT menu to select the time zone for a given country or region
SMIT uses the internal /usr/lib/nls/lstz -c command to produce the list of available time zones for a given country and region. The -c flag uses a country or region designation as the input parameter. The /usr/lib/nls/lstz -C command provides a list of available input parameters. As such, the listing in Figure 10-15 is produced by the /usr/lib/nls/lstz -c US command. The /usr/lib/nls/lstz command used without any flag provides a full list of all Olson time zones available on AIX. Note that undocumented commands and features are not officially supported for customer use, are not covered by the AIX compatibility statement, and may be subject to change without notice.

10.7 Unicode 5.0 support

As part of the continuous ongoing effort to adhere to the most recent industry standards, AIX V6.1 provides the necessary enhancements to the existing Unicode locales in order to bring them up to compliance with the latest version of the Unicode standard, which is Version 5.0, as published by the Unicode Consortium. The Unicode is a standard character coding system for supporting the worldwide interchange, processing, and display of the written texts of the diverse languages used throughout the world. Unicode 5.0 defines standardized character positions for over 99,000 glyphs in total. For in-depth information about Unicode 5.0, visit the official Unicode home page at: http://www.unicode.org

RPC_SVC_REG
Routines that allow the RPC servers to register themselves with rpcibnd(), and associate the given program and version number with the dispatch function.
rpc_reg svc_reg svc_unreg svc_auth_reg xprt_register xprt_unregister
S E E O B B T T T B B B E I B

RPC_SVC_CREATE

Routines that are related to the creation of service handles.
svc_control svc_create svc_destroy svc_dg_create svc_fd_create svc_raw_create svc_tli_create svc_tp_create svc_vc_create

Available in libc.ab

Implemented in libnsl.ab

Routine classificationa

API classification

Description

API names

RPC_SVC_CALLS

Routines that are associated with the server side of the RPC mechanism. Some of them are called by the server side dispatch function, while others are called when the server is initiated.
svc_dg_enablecache svc_done svc_exit svc_fdset svc_freeargs svc_getargs svc_getreq_common svc_getreq_poll svc_getreqset svc_getrpccaller svc_max_pollfd svc_pollfd svc_run svc_sendreply
O O O O O O B B B O O O O O O O O O O O O

M G G G M M

RPC_SVC_ERR
Routines called by the server side dispatch function if there is any error in the transaction with the client.
svcerr_auth svcerr_decode svcerr_noproc svcerr_noprog svcerr_progvers svcerr_systemerr svcerr_weakauth
Appendix A. Transport-independent RPC

RPC_CLNT_CREATE

Routines that facilitate services related to the creation of client handles.
clnt_control clnt_create clnt_create_timed clnt_create_vers clnt_create_vers_timed clnt_destroy clnt_dg_create clnt_door_create clnt_pcreateerror clnt_raw_create clnt_spcreateerror clnt_tli_create clnt_tp_create clnt_tp_create_timed clnt_vc_create rpc_createerr
T T T T T T B I O B O E I I B O

M M M M

RPC_CLNT_CALLS
Routines that handle the client side of the remote procedure calls and related error conditions.
clnt_call clnt_freeres clnt_geterr clnt_perrno clnt_perror clnt_sperrno clnt_sperror rpc_broadcast rpc_broadcast_exp rpc_call

T O O O O O O S S S SC

RPC_CLNT_AUTH
Routines normally called in support of authentication after creation of the client handle.
auth_destroy authnone_create authsys_create authsys_create_default

SECURE_RPC

Routines supporting DES encryption-based authentication.
authdes_getucred authdes_seccreate getnetname host2netname key_decryptsession key_encryptsession key_gendes key_secretkey_is_set key_setsecret netname2host netname2user user2netname
SC SC SC SC SC SC SC SC SC SC SC SC T

RPC_CONTROL

Function that allows applications to set and modify global attributes that apply to clients as well as server functions. Routines that allow you to make procedure calls to the RPC bind service.