Flashes (Alerts)
Abstract
Defects 38242 and 38898 - Potential AIX system crash when CA eTrust is already installed and Guardium is then installed
The problem can happen in the following scenarios
- when upgrading Guardium software using the live upgrade method
- with a fresh installation of the Guardium software
Content
Specifically, a crash occurs within the K-TAP module when a pointer gets corrupted.
Remediation:
IBM have produced a new AIX S-TAP installer. Where the CA product is installed and running the following can be run
For all STAPs r57269 and above.
Installing STAP for the first time on AIX:
- 1) If system is running with storage keys: disable storage keys
- skctl -k off -u off
/usr/sbin/bosboot -a
reboot
2) If you wish to use GIM - install GIM
3) This step has been amended Feb 2018 as follows due to new information that has come to light- The storage keys on AIX need to be disabled before the installation of the STAP, and it will allow KTAP to be loaded. When the Storage keys are disabled, the load order is not important and hence there is no need to perform the Original step 3) below
-
- Original step 3) was this :- There is no need to follow this step now
-------------------- not needed now --------------
Stop CA user process - Your System Administrator should be aware of the exact commands to use - the following is an example only- bash-3.2# /opt/CA/AccessControl/bin/secons -s
CA ControlMinder secons v12.80.0.1432 - Console utility
Copyright (c) 2013 CA. All rights reserved.
CA ControlMinder is now DOWN !
bash-3.2# ps -ef | grep CA
root 4129172 3998270 0 11:11:01 pts/0 0:00 grep CA
bash-3.2#
- bash-3.2# /opt/CA/AccessControl/bin/secons -s
- Original step 3) was this :- There is no need to follow this step now
- 4) Install and configure STAP/KTAP. (either via GIM or using a standalone shell installer)
Once the STAP is installed make a check that K-TAP module is loaded first before the CA kernel module- The genkex command displays loaded kernel module in the order in which they have been loaded with the most recently loaded module at the top of the list.
for example - below the ktap is listed AFTER the SEOS- hence was loaded BEFORE the SEOS- genkex | grep -E "ktap|SEOS"
f1000000c0456000 4c4000 /opt/CA/AccessControl/bin/SEOS_syscall
6720000 90000 /etc/drivers/guardium/aix_ktap57269.64
If the KTAP module is not listed after the SEOS then
reboot
and check again that it is listed AFTER the SEOS with the genkex command
verify that STAP is communicating and fully functional
- genkex | grep -E "ktap|SEOS"
- The genkex command displays loaded kernel module in the order in which they have been loaded with the most recently loaded module at the top of the list.
5) Verify the boot order in /etc/inittab is KTAP load (via /etc/rc), then seos (CA eTrust) , then S-TAP - for example
- bash-3.2# grep -E "^rc|^seos|^utap" /etc/inittab
rc:23456789:wait:/etc/rc 2>&1 | alog -tboot > /dev/console # Multi-User checks
rctcpip:23456789:wait:/etc/rc.tcpip > /dev/console 2>&1 # Start TCP/IP daemons
rcnfs:23456789:wait:/etc/rc.nfs > /dev/console 2>&1 # Start NFS Daemons
rcitm2:2:once:/etc/rc.itm2 > /dev/console 2>&1
rcitm6:2:once:/etc/rc.itm6 start > /dev/console 2>&1
rcitm5:2:wait:/etc/rc.itm5 > /dev/console 2>&1
rcitm4:2:wait:/etc/rc.itm4 > /dev/console 2>&1
rcitm3:2:wait:/etc/rc.itm3 > /dev/console 2>&1
rcitm1:2:wait:/etc/rc.itm1 > /dev/console 2>&1
rcml:2:once:/usr/ml/aix71/rc.ml > /dev/console 2>&1
rcwpars:2:once:/etc/rc.wpars > /dev/console 2>&1 # Corrals autostart
seos:2:once:/opt/CA/AccessControl/rc.SeOS.base
utap:2345:respawn:/usr/local/guardium/guard_stap/guard_stap /usr/local/guardium/guard_stap/guard_tap.ini
6) Reboot the system
7) check the Guardium and CA have been loaded correctly - for example- bash-3.2# genkex | grep -E "ktap|SEOS"
f1000000c0456000 4c4000 /opt/CA/AccessControl/bin/SEOS_syscall
6720000 90000 /etc/drivers/guardium/aix_ktap57269.64
bash-3.2#
bash-3.2# ps -ef | grep stap
root 4587664 3343152 0 11:45:47 pts/0 0:00 grep stap
root 3080900 1 0 11:21:52 - 0:00
/usr/local/guardium/guard_stap/guard_stap
/usr/local/guardium/guard_stap/guard_tap.ini
8) If needed - Restart CA user process - Your System Administrator should be aware of the exact commands to use - the following is an example only- /opt/CA/AccessControl/bin/secons
....
- skctl -k off -u off
Upgrading STAP on AIX:
- Basically do steps 3/4/5 above. (in this case step 4 is an upgrade and not a fresh install )
In a live upgrade the new KTAP Kernel Module will replace the existing KTAP Kernel Module and so will be installed correctly BEFORE the SEOS
Rebooting AIX:
- On EVERY REBOOT, please make certain that KTAP loads first, before the CA kernel module - with the genkex command as in 4. above
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21666631