The Distributed System Management Interface Tool (DSMIT) adds functionality to the System Management Interface Tool (SMIT) by allowing the SMIT interface to build commands for system management and distribute them to other clients on a network. DSMIT has most of the functionality of the SMIT program, such as fast paths, log files, and flags. The DSMIT facility runs in two interfaces, ASCII (nongraphical) or AIXwindows (graphical).
The DSMIT server runs on AIX Version 4 and the DSMIT clients support the following operating systems:
Note: You must install the DSMIT 2.2 client code with the DSMIT Version 2.2 server. The client code from previous versions of DSMIT does not contain the security enhancements that allow it to interoperate with DSMIT Version 2.2. For the same reason, you cannot install the DSMIT Version 2.2 client code with the server code from previous versions of DSMIT.
The following terminology is
important in understanding the DSMIT program:
|Client or managed machine||Specifies the machines that run commands built by the DSMIT server. The clients wait for the server to issue the information on what commands to run.|
|Server or managing machine||Specifies the machines that build and distribute commands for running on client machines.|
|Working collective||Specifies a current list of clients to /receive commands built by DSMIT. The working collective is a temporary list and must be reset with each new DSMIT session.|
|Domain of clients||Specifies a permanent group of clients on which DSMIT can run commands. Domains are different from the working collective because they do not need to be reset with each new DSMIT session.|
|Exclude||Excludes members from the working collective, preventing them from receiving commands.|
|Include||Restores excluded members to the working collective, allowing them to receive commands.|
|Heterogeneous clients||Specifies a network in which not all clients have the same operating systems.|
|Homogeneous network||Specifies a network in which all clients have the same operating system. In this case, they can be this operating system, HP, Solaris, or Sun OS.|
|Intersection||Specifies the list of machines that meet all of the selected criteria.|
|Union||Specifies the list of machines that meet any of the selected criteria.|
|DSMIT configuration file server||Specifies the machine that holds the DSMIT security configuration files.|
The DSMIT program uses networks that support the TCP/IP and UDP/IP communication protocols. DSMIT sends information using sockets.
DSMIT security is based on well-established crypto routines and DSMIT specific (modeled after MIT's Kerberos) communication protocols. It provides an ongoing secure DSMIT operation and supports secure modification of the security configuration and updates of passwords and keys.
The DSMIT security characteristics
|Single Sign-on||When single sign-on is enabled, the credentials that allow the DSMIT administrator to run DSMIT are created when the administrator logs in to the system. This is optional. If the DSMIT administrator chooses a DSMIT password different from their system password, the DSMIT password must be provided each time their DSMIT credentials have expired.|
|Authentication||Only the user authenticated as the DSMIT administrator can run DSMIT. A root user on the managing system does not have root access to the managed systems unless the root ID is registered as a DSMIT administrator. Communications between the managing and managed systems are authenticated.|
|Data Integrity||DSMIT uses the Message Authentication Code (MAC) to protect against unauthorized changes or substitutions to data transmissions between the managing and managed systems.|
|Data Confidentiality||Passwords, DSMIT commands, and their output are not passed over the network in the clear. To mask data between the managing and managed systems, DSMIT uses the Commercial Data Masking Facility (CMDF) technology.|
|Audit Logging||DSMIT maintains a log of significant events to keep track of the start and end of DSMIT sessions and the identity of the administrator and the managed and managing systems.|
DSMIT runs in both concurrent and sequential modes. Concurrent mode means that the DSMIT server builds a command and routes it to the clients simultaneously. Sequential mode means that the DSMIT server builds a command and routes it to the clients one machine at a time. After you build a command on the server and press the Enter key, a menu appears asking in which mode you wish to run DSMIT.
When you use the concurrent mode to submit commands, ASCII DSMIT displays a spinning-wheel graphic to indicate it is processing the commands.
The following DSMIT files are
essential to configuration:
|/usr/share/DSMIT/domains||Defines the groups of clients that the DSMIT server supports.|
|/usr/share/DSMIT/dsmitos||Defines the operating systems that the DSMIT server supports.|
|/usr/share/DSMIT/hosts||Defines the clients that the DSMIT server supports.|
|/usr/share/DSMIT/security/v5srvtab||Stores the local machine's unique DSMIT principal key. This file is present on each managing and managed system. The default location for this file is /usr/share/DSMIT/security/v5srvtab.|
|/usr/share/DSMIT/security/admin.cfg||Stores the DSMIT administrator's keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.|
|/usr/share/DSMIT/security/managing.cfg||Stores the intermediate keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.|
|/usr/share/DSMIT/security/managed.cfg||Stores the managed machine's DSMIT principal keys. This file is used by the managing systems. The location for this file is in /usr/share/DSMIT/security on the system designated as the DSMIT configuration file server.|
|/usr/share/DSMIT/security/dsmit.ptr||Stores the name of the DSMIT configuration file server. This file is present on each managing system. The location for this file is /usr/share/DSMIT/security/dsmit.ptr.|
DSMIT exports the variable SMIT=d, which indicates that DSMIT rather than SMIT is running.
If the environment variable DSMIT_USE_PREV_WC is set, DSMIT saves the current working collective in its current state to the file $HOME/.dsmit_prev_wc. The next time DSMIT is invoked (and the environment variable is still set), DSMIT retrieves the information in $HOME/.dsmit_prev_wc to use as the current working collective.
The $HOME/.dsmit_prev_wc file is overwritten with the current working collective each time DSMIT exits.
The -w and -W flags take precedence over DSMIT_USE_PREV_WC.
The DSMIT program uses the same Object Data Manager (ODM) databases that SMIT uses. The databases are located in the /usr/lib/objrepos file. If you add any stanzas to the ODM database, DSMIT uses these stanzas to expand its functionality.
Sun-, Solaris-, and HP-specific stanzas are located in the /usr/share/DSMIT/SunOS_4.1.3, /usr/share/DSMIT/Solaris, and /usr/share/DSMIT/HP-UX_9.0 directories, respectively. The system creates these directories when the client software is installed for either Sun, Solaris, or HP clients. The dsmitos file defines the available operating system types. This file is updated with the SMIT ODM database directory name when the DSMIT client software is installed on the DSMIT server system. During installation of the DSMIT server software, the Symbol.dsmit ODM database directory is linked into the /usr/share/DSMIT directory and is added to the dsmitos file.
If the systems that are being managed are at a different version, release, or level than the managing system, such as the managing system is running AIX 4.1.3 and the managed system is running AIX 4.1.2, you will need to copy the SMIT stanzas from the managed system to the managing system. This will help you to avoid problems that may occur due to differences in the operating system levels. For example, if a SMIT task uses a new parameter added to a command in AIX 4.1.3, the command will not be understood by previous levels of the operating system. Use the following steps to add support for specific levels of the operating system:
Note: NewLevelDirectory is a specific level of the operating system.
echo "NewLevelDirectory" >> dsmitos
rcp root@client:/usr/lib/objrepos/sm* .
Note: You must install the DSMIT 2.2 client code. The client code from previous versions of DSMIT does not contain the security enhancements that allow it to interoperate with DSMIT Version 2.2.
ODMDIR=. /usr/bin/odmadd /usr/share/DSMIT/add_files/*.add
This is important if the commands being executed has changed between levels of operating system. For example, AIX 4.1.3 of installp will not run on AIX 4.1.1 due to syntax changes in the flags. So it is important that the correct SMIT database that is being used on a managing machine corresponds to the correct level of operating system of the managed machine.
Security Configuration for DSMIT.
Modifying DSMIT Security Configuration.
Establishing Single Sign-On.
Starting and Stopping the DSMIT (ASCII or AIXwindows) Interface.
Using the DSMIT Interfaces.
Defining Clients, Defining the Working Collective, Saving the Current Working Collective as a Domain.
Creating a Domain, Changing a Domain, Removing a Domain.
Examples of Tasks Performed with DSMIT.
The chdsmitd command, dsmit command, lsdsmitd command, lsdsmitm command, mkdsmitd command, rmdsmitd command.