General Page

This document contains tips for successful installation of AIX 7.2 and is updated as new tips become available.

Last Update: 26 January 2024

Technology Levels and Service Packs mentioned in this document, when available, can be obtained from Fix Central at:

https://www.ibm.com/support/fixcentral

General Recommendations

The AIX installation DVDs and the level of AIX preinstalled on new systems might not contain all available fixes. Missing fixes might be critical to the proper operation of your system. Update these systems to a current service pack level from Fix Central.

When you update to a new Technology Level (TL), it is good practice to first update the bos.rte.install file set in a separate installation session.

With certain combinations of updates, the update process might have to be run a second time in order to apply all updates in a package. Check the output of the 'oslevel -r' and 'oslevel -s' commands for the expected values after an update. Until the update is run a second time, the output of the oslevel command might not indicate that the package is fully installed.

The compare_report command, which is documented in the AIX Commands Reference, can be used to determine which available updates contain fixes not present on your system.

Any library or executable file that is updated by an interim fix (emgr) or service update, which is in use by an active process, is not reflected in that process until it is restarted. In addition, any process that uses a library and does a dlopen() of the same library after the library is updated, could experience inconsistencies.

Commit all applied updates before you upgrade your system to a new service pack or technology level. If you use workload partitions (WPARs), commit all applied updates in the WPARs before you update the global LPAR.

26 January 2024

Updating to AIX 7.2 TL5 SP7 (7200-05-07-2346) with Trusted Update

The fix for HIPER APAR IJ49570 was added to 7200-05-07-2346 on Fix Central on 26 January 2024. To avoid the issue documented in IJ49570, it is recommended to download the augmented service pack for any future update operations.

Systems with trusted update enabled will require special steps to update successfully. These systems have a signature checking policy of "medium" or "high".

To determine the current policy for a system, run:

% chsignpolicy -p
#signpolicy
none <----  this value (could be none, low, medium, or high)

For policies of "low" or "none", normal update procedures are sufficient and there is no need to read further.

Systems with policies of "medium" or "high" will need to either temporarily lower it to "low" or "none" using the chsignpolicy command or use an interim fix with the new package signatures to successfully update.

To temporarily lower the policy setting, the steps are:

chsignpolicy -s none # or low for informational messaging
```
% chsignpolicy -s low  
sys0 changed
```
perform the update as usual
chsignpolicy -s high # or medium (to restore the original policy)
```
% chsignpolicy -s high
sys0 changed
```
the procedure is complete, and there is no need to read further

To maintain a "medium" or "high" policy, an interim fix is available to deliver the necessary signatures and allow a successful update. The steps are:

run oslevel -s and verify it indicates 7200-05-06-2320. If not, update to 7200-05-06-2320 before proceeding.
```
% oslevel -s
7200-05-06-2320
```
run chsignpolicy -p and verify the value is "medium" or "high". If it's "low" or "none" then no signature policy is configured and there's no need to continue with these steps. Simply apply service pack 7200-05-07-2346 following normal procedures. If it is "medium" or "high" then continue to the next step.
download ifix IJ49570tu1.240125.epkg.Z
download 7200-05-07-2346 from Fix Central (do this after 26 January 2024 to get the fix for IJ49570)
verify the downloaded images include files U894244.bff and U894514.bff. If they do not, then the service pack was downloaded before the HIPER fix was added and will need to be redownloaded.
from the directory with the service pack images, run the following (this will preview an update of bos.rte.install and bos.dsc)
```
% installp -e /tmp/install.log -apXgd . bos.dsc
```
after a successful preview, apply the two updates by removing the 'p' flag
```
% installp -e /tmp/install.log -aXgd . bos.dsc
```
go to the directory where the ifix resides and run
```
% emgr -X -e IJ49570tu1.240125.epkg.Z
```
back in the SP download directory, preview the update by running
```
% install_all_updates -pYd .
```
after a successful preview, apply the updates by running
```
% install_all_updates -Yd .
```
verify the new service pack level is 7200-05-07-2346 by running oslevel -s
```
% oslevel -s
7200-05-07-2346
```

verify the fix for IJ49570 is present by running

% instfix -ivqk IJ49570
IJ49570 Abstract: SAVEBASE FAILS WITH IOCTL FOR LV_QRYBLKSIZE ON BLV FAIL (14 

    Fileset bos.alt_disk_install.boot_images:7.2.5.206 is applied on the system.
    Fileset bos.rte.boot:7.2.5.203 is applied on the system.

remove the signature ifix by running emgr -rL IJ49570tu1

The system is now updated and may be safely rebooted.

1 November 2022

SUMA workaround for November security change

On 11 November 2022, the service that SUMA relies on to retrieve fixes will undergo a security change causing SUMA commands to fail unless default settings are changed by running the following command:

# suma -c -a DOWNLOAD_PROTOCOL=https

This one-time change to the default SUMA communication protocol will not be necessary on future levels of AIX, namely:

AIX 7.3 TL1 SP1 (7300-01-01-2246) - estimated to be available 2 December 2022

AIX 7.2 TL5 SP5 (7200-05-05-2246) - estimated to be available 2 December 2022
AIX 7.1 TL5 SP11 (7100-05-11-2246) - estimated to be available in March 2023

20 May 2022 - Updated 25 May 2022

Firewall Changes May Be Needed For Fix Retrieval

IBM is planning to implement infrastructure improvements to electronic fix distribution in early June.

Public internet IP address and hostnames will be changing for the IBM servers that support internet delivery of fixes and updates for customer system's software, hardware, and operating system.

This change pertains to all operating systems supported by IBM Electronic Fix Distribution (EFD) / IBM Fix Central system.

Customer action may be required to ensure uninterrupted fix delivery services.

See the full bulletin for details.

Service Update Management Assistant (SUMA) is not affected by this change.

20 January 2022

suma command fails to retrieve list from fix server

As of 27 June 2022, suma commands on older levels of AIX will fail with errors like:

% suma -x -a Action=Preview -a RqType=Latest
****************************************
Performing preview download.
****************************************
Partition id was unassigned; will attempt to assign it.
Partition id assigned value 19
0500-013 Failed to retrieve list from fix server.

The suma command relies on trusted root certificates to enable SSL/TLS communication with IBM servers. Some of the certificates are expiring 27 June 2022, and new certificates are required.

These levels (and later) have the new certificates and are not affected by this issue:

AIX 7.3 released in December 2021

AIX 7.2 7200-05-03-2135 released in September 2021

AIX 7.2 7200-04-05-2148 planned for release in February 2022

AIX 7.1 7100-05-09-2135 released in September 2021

Older levels require an interim fix. They can be retrieved by using FTP, HTTP, or HTTPS.

For AIX 7.2 Technology Level 7200-05, use:

https://aix.software.ibm.com/aix/ifixes/ij34481/ECCJKS02.220111.epkg.Z

For all earlier levels of AIX 7.2, use:

https://aix.software.ibm.com/aix/ifixes/ij34325/ECCJKS01.220111.epkg.Z

For AIX 7.1, use:

https://aix.software.ibm.com/aix/ifixes/ij34324/ECCJKS03.220111.epkg.Z

Apply an interim fix by using the emgr command. For example,

% emgr -e /tmp/ECCJKS01.220111.epkg.Z

10 December 2021

Secure Boot failure with NTP v4

Secure Boot checks fail for 7200-05-03-2148 LPARs configured to run ntp4. Failed boots display this message:

Secure boot: Signature verification failed for /usr/sbin/ntp4/ntpd4

This issue can be worked around by deleting the the erroneous entry from the Trusted Signature Database (TSD) by running:

trustchk -d /usr/sbin/ntp4/ntpd4

If you are already hitting this problem, then you need to reduce your Secure Boot policy to allow boot. Then, delete the TSD entry, set the Secure Boot policy back to a level of 2 or lower, and boot one more time.

Digital Signature Policy and 7200-05-03 or later

If you are upgrading to 7200-05-03-2136 or later from 7200-04 or later and the system has a nondefault Digital Signature Policy (that is, "chsignpolicy -p" returns a result other than "none"), then run the following commands before you upgrade to avoid errors related to missing signatures.

% chsignpolicy -p
#signpolicy
high   <----  remember this value (could be low, medium, high, or none)

If the signature policy value is "none", then you can ignore this tip.

If the signature policy value is "low", then "INFO" messages appear during the update as some signatures are missing from 7200-05-03-2136. There are no special steps required to update your system successfully.

If the signature policy value is "medium" or "high", then you need to lower it before you update your system. Temporarily set the signature policy to "none" or "low". For example,

# chsignpolicy -s none
sys0 changed

Then, proceed to update your system as you normally would.

You might notice the following warnings. They are expected as part of the update process for this level and can be safely ignored:

sysck: 3001-036 WARNING:  File 
        /usr/lib/objrepos/dsc_inventory.vc
        is also owned by fileset bos.rte.install.
sysck: 3001-036 WARNING:  File 
        /usr/lib/objrepos/dsc_inventory
        is also owned by fileset bos.rte.install.

After the update is completed, you can restore the original policy setting.

20 January 2021

IJ29762: PCIe3 16 Gb 2-port Fibre Channel adapter (FC EN2A and FC EN2B) fails to configure

Devices attached to PCIe3 16 Gb 2-port Fibre Channel adapters (FC EN2A and FC EN2B; CCIN 579D) do not configure, and therefore cannot be installed to, when booted from any of the following:

AIX 7.2 TL5 DVD media with label "LCD8-2230-14" or "LCD8-2233-14"
AIX 7.2 TL5 ISO images obtained from the Entitled Systems Support (ESS) site before 15 January 2021:

AIX_v7.2_Install_7200-05-00-2037_DVD_1_of_2_112020_LCD8223014.iso
AIX_v7.2_Install_7200-05-00-2037_DVD_2_of_2_112020_LCD8223114.iso
AIX_v7.2_Install_7200-05-01-2038_flash_112020_LCD8236408.iso

AIX 7.2 TL5 ISO images obtained from Passport Advantage before 15 January 2021:

aix_7200-05-00-2037_1of2_112020.iso
aix_7200-05-00-2037_2of2_112020.iso
aix_7200-05-01-2038_flash_112020.iso

alt_disk_mksysb images created on AIX levels up through 7200-05-01-2038

As of 15 January 2021, AIX 7.2 orders will be fulfilled with corrected media, and ISO images retrieved from ESS and Passport Advantage downloads will also have the fix.

25 November 2020 (updated 4 December 2020)

Unable to boot systems that use NPIV after you update to 7200-05 (APAR IJ29419)

Systems might hang on boot with LED 0554 after update to technology level 7200-05-00-2037 or service pack 7200-05-01-2038. The hang occurs if the boot device is configured on an NPIV client adapter with attributes customized outside of usable range.

To identify a vulnerable system, first check if there are NPIV virtual adapters defined by running:


% LANG=C lsdev |grep "Virtual Fibre Channel Client Adapter"
fcs0       Available 15-T1       Virtual Fibre Channel Client Adapter
fcs1       Available 16-T1       Virtual Fibre Channel Client Adapter

If no fcs devices appear, the system is not affected. Otherwise,

2) Check for out-of-range values for each listed device's num_cmd_elems and lg_term_dma attributes by running:


% lsattr -El fcs0
intr_priority  3          Interrupt priority                  False
lg_term_dma    0x8000000  Long term DMA                       True
max_xfer_size  0x1000000  Maximum Transfer Size               True
num_cmd_elems  256        Maximum Number of COMMAND Elements  True
sw_fc_class    2          FC Class for Fabric                 True

To avoid problems on 7200-05, num_cmd_elems and lg_term_dma must be in these ranges:

512 <= num_cmd_elems <= 2048

0x800000 <= lg_term_dma <= 0x4000000

If all listed fcs devices have both values in the indicated ranges, the system is not affected. Otherwise,

3) Update the out-of-range values to be within the indicated range before a system update. Changes might not be allowed to the attributes of an active device, so use the -P flag to save the value in the ODM only.

For example, if num_cmd_elems for fcs0 is less than 512, change it to 512 by running:


% chdev -l fcs0 -a num_cmd_elems=512 -P
fcs0 changed

Or if lg_term_dma value is greater than 0x4000000, then change it to 0x4000000 by running:


% chdev -l fcs0 -a lg_term_dma=0x4000000 -P
fcs0 changed

Once all out-of-range fcs attribute values are addressed, you can update to the 7200-05 TL or SP and avoid the hang.

NOTE: As of 25 November 2020 new SUMA and Fix Central orders include a fix for IJ29419, allowing systems to be updated and rebooted successfully without modifying device attributes. As of 1 December 2020 Fix Central orders that use physical media include the fix as well.

13 November 2020

bos.txt.tfs error updating with 7200-05-00-2037 DVDs or ISO images

Attempting to update an existing system with 7200-05-00-2037 DVDs or ISO images results in the following error when the optional bos.txt.ibm3812.fnt fileset is present on the system:

instal:  Failed while executing the ./bos.txt.tfs.post_i script.

and bos.txt.tfs is removed from the system. This will cause the update to fail but can be recovered by re-attempting the update with the "C" locale. For example, assuming you're updating from media in /dev/cd0, you would run:

% LANG=C
% LC_MESSAGES=$LANG
% export LANG LC_MESSAGES
% installp -aXYgd /dev/cd0 bos.txt.tfs
% smitty update_all

The installp command will remedy the bos.txt.tfs error and the final command should allow you to finish your update of any missing changes that failed to install due to a bos.txt.tfs dependency.

21 May 2020

ofed.rds.rte 7.2.4.1 fails to install from 7200-04-02-2015 and 7200-04-02-2016 base media

Attempting to install ofed.rds.rte from base media for 7200-04-02-2015 or 7200-04-02-2016 will fail with error:

sysck: 3001-017 Errors were detected validating the files
        for package ofed.rds.rte.

0503-464 installp:  The installation has FAILED for the "usr" part
        of the following filesets:
        ofed.rds.rte 7.2.4.1

A corrected ofed.rds package is available at https://aix.software.ibm.com/aix/fixes/7242/ofed.rds and delivers the 7.2.4.2 version of the ofed.rds.rte file set. The image is also available via anonymous FTP from the same location.

14 April 2020

Preinstalled systems could show oslevel 7200-04-00-0000

Some systems were preinstalled such that oslevel -s reports 7200-04-00-0000 instead of 7200-04-01-1939. These systems cannot be updated to Service Pack 7200-04-01-1939 because those changes are already installed.

Upgrading to Technology Level 7200-04-00-1937 Or Service Pack 7200-04-01-1939 Fails To Commit

Upgrades to the mentioned levels, with commit set to yes, apply the updates and return successfully but fail to commit the software. For example, running "smitty update_all", which attempts to commit by default, returns "OK" even though the commits fail.

You can commit afterward by selecting "Commit Applied Software Updates" in SMIT or by running the installp command with the "-g" flag:

% installp -e /tmp/commit.log -gcX all

9 December 2019

7200-01 End of Service Pack Support

AIX 7.2 Technology Level (TL) 7200-01 reached the End of Service Pack Support (EoSPS) on 30 November 2019. There are no further service packs planned for this TL. It is highly recommended that 7200-01 systems be updated to current levels to help ensure system security and stability. Refer to the AIX Support Lifecycle for details on past and planned EoSPS dates.

15 November 2019

7200-04 sendmail 8.15.2

Starting with TL 7200-04, AIX ships sendmail 8.15.2 which is more secure than the previous version. If you used sendmail on prior TLs and update to TL 7200-04 or later, you need to take action to continue to use sendmail.

See the IBM Documentation entry for the sendmail command and refer to the section "Migration to AIX 7 with 7200-04" for full details.

7200-04 smitty update_all Failure

When running with bos.rte.install at the 7.2.4.0 level and running smitty update_all to update to a later level, you might see the following error on the first run:

installp:  The installp command has been updated. Reinvoking installp
        to process the remaining items.
Unable to set up Trusted Execution environment for Installation to proceed.

This can be overcome by attempting the operation again, as this error only occurs on the first attempt. See APAR IJ20765 for details.

10 May 2019

7200-00 End of Service Pack Support

AIX 7.2 Technology Level (TL) 7200-00 reached the End of Service Pack Support (EoSPS) on 31 December 2018. There are no further service packs planned for this TL. It is highly recommended that 7200-00 systems be updated to current levels to help ensure system security and stability. Refer to the AIX Support Lifecycle for details on past and planned EoSPS dates.

Service Packs and CVE-2018-6922

When you update to any of:

7200-03-03-1914 (or later)
7200-02-04-1914 (or later)
7200-01-06-1914 (or later)

Be aware that interim fixes obtained in response to security bulletin "Vulnerability in FreeBSD affects AIX (CVE-2018-6922)" set the default value of the new tcp_maxqueuelen network option to 1000. But there is no single nonzero value appropriate for all systems, so the listed service packs deliver a default value of zero. Systems where the option has been manually set see no change upon applying SPs since the manually configured value is used instead of the defaults. All other systems see the value revert to zero after application of the SP, so administrators are encouraged to identify and set values that work best for their environment. For advice on choosing a value, see technote https://www-01.ibm.com/support/docview.wss?uid=ibm10794755.

21 September 2018

PowerHA SystemMirror

After upgrading to 7200-03 and rebooting, PowerHA SystemMirror customers might see an error when running lppchk:

lppchk: File /etc/rc.d/rc2.d/Kcluster could not be located.

This error can be safely ignored. It does not impact cluster functionality, as the referenced file is no longer used.

3 November 2017

TL2 SP1 revision 7200-02-01-1732

To enable support of POWER9 systems on AIX 7.2 TL2 SP1, a new revision of the service pack has been created. The original revision was 7200-02-01-1731, and the new revision is 7200-02-01-1732. The only functional change is:

IJ02570  DLPAR operation failed with error HSCL294E

Updating from pre-TL2 to TL2 or later with RPMs

Users with RPMs installed who are updating or migrating to AIX 7.1 TL5 are advised to refer to the following Technotes:

Avoiding Missing RPM Issues http://www-01.ibm.com/support/docview.wss?uid=isg3T1027160
Resolving Missing RPM Issues http://www-01.ibm.com/support/docview.wss?uid=isg3T1027161

29 September 2017

Migration and Java6

If you previously migrated to 7.2, and have Java6 software installed, there might be newer levels on the Expansion Pack. An update_all operation from the Expansion Pack media as the software source, upgrades any software moved to the Expansion Pack.

To determine if you still need Java6, you might do a preview removal, to find any requisites, and if none, it might be removed. More information on Java6 and AIX Version 7.2 is in the 7.2 Release Notes.

27 January 2017

7200-01 Service Pack 1 Update

As of 21 December 2016, Service Pack (SP) 7200-01-01-1642 was updated on FixCentral to add two additional fixes:

IV91432 getsockname() returns incorrect namelength
IV91020 crash in vioent_init_ls_timer when poll_uplink=yes

To reflect that the content had been augmented, the name of the SP was incremented to 7200-01-01-1643 for ordering purposes only.

Once downloaded and applied to a system, the oslevel output remains:

% oslevel -s
7200-01-01-1642

Presence of the additional fixes can be verified by instfix:

% instfix -iqk IV91432
    All filesets for IV91432 were found.
% instfix -iqk IV91020
    All filesets for IV91020 were found.

7200-01 Technology Level Update

As of 20 December 2016, Technology Level (TL) 7200-01-00-1642 was updated on FixCentral to add two additional fixes:

IV91432 getsockname() returns incorrect namelength
IV91020 crash in vioent_init_ls_timer when poll_uplink=yes

To reflect that the content had been augmented, the name of the TL was incremented to 7200-01-00-1643 for ordering purposes only.

Once downloaded and applied to a system, the oslevel output remains:

% oslevel -r
7200-01
% oslevel -s
7200-01-01-1642

Presence of the additional fixes can be verified by instfix:

% instfix -iqk IV91432
    All filesets for IV91432 were found.
% instfix -iqk IV91020
    All filesets for IV91020 were found.

30 November 2016

VIO Client Crash with poll_uplink=yes

VIO client LPARs running the AIX 7200-01 Technology Level with devices.vdevice.IBM.l-lan.rte at 7.2.1.0 might crash during reboot if they use virtual ethernet with the poll_uplink attribute set to 'yes' for any virtual ethernet adapter device.

The device attribute can be verified with:

% lsattr -El entX -a poll_uplink

When you update to an affected level, be sure to apply the fix for APAR IV91020 before reboot. Until the next service pack is available, an interim fix is available from either:

Installation of the interim fix requires a reboot.

If hit, the crash shows information similar to:

Illegal Trap Instruction Interrupt in Kernel
.vioent_init_ls_timer+000000 tdllti r31,200

If this crash is experienced, the system can be recovered by temporarily removing the virtual ethernet device(s) from the LPAR profile and rebooting. Then the attribute can be unset and the system reactivated with the original profile.

The device attribute can be changed with:

% chdev -l entX -a poll_uplink=no

25 July 2016 (and earlier)

jfs2 Tuning for Migrated AIX 6.1 Systems

The default value of the j2_inodeCacheSize tunable parameter was changed from 400 to 200. The j2_inodeCacheSize tunable parameter allows approximately 50,000 open files per gigabyte (GB) of main memory, and improves system performance. However, the j2_inodeCacheSize tunable parameter value of 200 can cause issues in systems that have a small amount of main memory (4 GB or less) and many concurrent users or many concurrent open files. To fix these issues, you can change the values for the j2_inodeCacheSize and the j2_metadataCacheSize tunable parameters from 200 to the previous value of 400 by running the following command.

Note: When you run the following command, the current value and boot value of both the tunable parameters are reset.

% ioo -p -o j2_inodeCacheSize=400 -o j2_metadataCacheSize=400

If the issues are not fixed after you change the values for the j2_inodeCacheSize and the j2_metadataCacheSize tunable parameters, you can contact IBM Support.

Cannot boot from USB-attached DVD

Volume 1 of the AIX 7.2 7200-00-02 DVD install media does not boot in a USB-attached DVD drive and cannot be used to install a system from such a drive.

To identify affected (bad) media, check the DVD label for the following:

TL 7200-00-02
05/2016
LK4T-1807-01
LCD8-2230-01

A fixed (good) DVD label shows:

TL 7200-00-02.1
07/2016
LK4T-1807-02
LCD8-2230-02

The TL, date, and form numbers have all been incremented on the fixed media.
As of 18 July 2016, all media orders ship with a fixed version of the DVD.
Customers with affected media can get updated ISO images through the ESS website:

https://www-304.ibm.com/servers/eserver/ess

Migration and RSCT 3.2.1.0

When migrating to AIX 7.2 the file set rsct.core.utils 3.2.1.0 is applied to the system. This level of RSCT is incompatible with rsct.vsd and rsct.lapi.rte file sets that might already be installed. rsct.vsd and rsct.lapi.rte should be uninstalled before applying updates or migrating to AIX 7.2. In addition, after the file sets are removed, the /opt/rsct directory needs to be renamed with a command like:

% mv /opt/rsct /opt/rsct.old

Failure to remove the file sets or to rename the directory results in an error during the installation of the rsct.core.utils 3.2.1.0 file set:

rmdir(/opt/rsct): Do not specify an existing file.
sysck: 3001-017 Errors were detected validating the files
for package rsct.core.utils.

0503-464 installp: The installation has FAILED for the "usr" part

In addition to preventing rsct.core.utils from moving to the proper level, many requisite rsct file sets are not migrated.

To recover from a failed migration, first ensure that rsct.lapi.rte and rsct.vsd are removed from the system. Then, rename /opt/rsct to /opt/rsct.old. Finally, do a smitty update_all from the migration medium to get the missing file sets installed.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z0000001fMuAAI","label":"AIX General Support"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Tips

AIX 7.2 Installation Tips